Security Bulletin: IBM Operations Analytics - Log Analysis is vulnerable to potential Host Header Injection (CVE-2019-4216)

2019-12-2008:47:33

www.ibm.com

0.001 Low

EPSS

Percentile

19.6%

JSON

Summary

IBM Operations Analytics - Log Analysis is vulnerable to HTTP header injection, as attacker can abuse the HTTP Host header.

Vulnerability Details

CVEID:CVE-2019-4216
DESCRIPTION:
CVSS Base score: 4.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159187 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
Log Analysis	1.3.1
Log Analysis	1.3.2
Log Analysis	1.3.3
Log Analysis	1.3.4
Log Analysis	1.3.5

Remediation/Fixes

Principal Product and Version(s)	Fix details
IBM Operations Analytics - Log Analysis version 1.3.1, 1.3.2, 1.3.3, 1.3.3.1 and 1.3.5	Upgrade from current Log Analysis version to Log Analysis 1.3.6

You can download the respective platform from Passport Advantage using part number

Part No Part Name
CC3VNEN : IBM Operations Analytics Log Analysis Managed - Device based v1.3.6 Linux 64 bit ALL editions English
CC3VPEN : IBM Operations Analytics Log Analysis Managed - Device based v1.3.6 zLinux 64 bit ALL editions English
CC3VQEN : IBM Operations Analytics Log Analysis Managed - Device based v1.3.6 Power8 ppc64le ALL editions English

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm smartcloud analyticseq1.3.1
ibm smartcloud analyticseq1.3.2
ibm smartcloud analyticseq1.3.3
ibm smartcloud analyticseq1.3.4
ibm smartcloud analyticseq1.3.5

Name	Operator	Version
ibm smartcloud analytics	eq	1.3.1
ibm smartcloud analytics	eq	1.3.2
ibm smartcloud analytics	eq	1.3.3
ibm smartcloud analytics	eq	1.3.4
ibm smartcloud analytics	eq	1.3.5

0.001 Low

EPSS

Percentile

19.6%

JSON

Related for F65B05E2BF21BE6CFEEFECB52E692EF2260C51B795DF0F134A0A58A61CC0A12B