Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMFE4BD6BD2DC968B7CCC1FA4194799A8C795A0C1ACAC23C7A0AF499F2276D2230
HistoryDec 24, 2019 - 2:40 p.m.

Security Bulletin: IBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability (CVE-2019-4304)

2019-12-2414:40:29
www.ibm.com
4

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

JSON

Summary

IBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability

Vulnerability Details

CVEID:CVE-2019-4304
**DESCRIPTION:**IBM WebSphere Application Server - Liberty could allow a remote attacker to bypass security restrictions caused by improper session validation. IBM X-Force ID: 160950.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160950 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud Private 3.2.0 CD
IBM Cloud Private 3.2.1 CD

Remediation/Fixes

Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages

  • IBM Cloud Private 3.2.0
  • IBM Cloud Private 3.2.1

For IBM Cloud Private 3.2.0, apply November fix pack:

For IBM Cloud Private 3.2.1, apply November fix pack:

For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2:

  • Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.1.
  • If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm cloud privateeqany

Related

cvelist 1
ibm 31
prion 1
cve 1
cvelist
cvelist
CVE-2019-4304
2019-09-26 00:00:00
ibm
ibm
Security Bulletin: Bypass security restrictions in WAS Liberty
2020-05-22 17:24:14
Security Bulletin: Rational Asset Analyzer is affected by a WebSphere Application Server vulnerability
2020-01-31 17:24:28
Security Bulletin: IBM MQ Console and REST API are vulnerable to a privilege escalation attack. (CVE-2019-4304)
2020-02-28 12:29:00
prion
prion
Authentication flaw
2019-09-30 16:15:00
cve
cve
CVE-2019-4304
2019-09-30 16:15:00

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

JSON
Related for FE4BD6BD2DC968B7CCC1FA4194799A8C795A0C1ACAC23C7A0AF499F2276D2230
cvelist1ibm31prion1cve1