Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.1788
IBM Integration Bus is vulnerable to a remote attack & denial of service
due to Apache Thrift & Apache Commons Codec (CVE-2018-1320,
CVE-2019-0205, IBM X-Force ID: 177835)
24 March 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Integration Bus
Publisher: IBM
Operating System: Windows
Linux variants
z/OS
Resolution: Patch/Upgrade
CVE Names: CVE-2019-0205 CVE-2018-1320
Original Bulletin:
https://www.ibm.com/support/pages/node/6965298
Comment: CVSS (Max): 7.5 CVE-2019-0205 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: IBM
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM Integration Bus is vulnerable to a remote attack &
denial of service due to Apache Thrift & Apache Commons Codec (CVE-2018-1320,
CVE-2019-0205, IBM X-Force ID: 177835)
Document Information
Document number : 6965298
Modified date : 22 March 2023
Product : IBM Integration Bus
Component : -
Software version : 10.1
Operating system(s): Linux
Windows
z/OS
Security Bulletin
Summary
IBM Integration Bus is vulnerable to a remote attack & denial of service due to
Apache Thrift & Apache Commons Codec (CVE-2018-1320, CVE-2019-0205, IBM X-Force
ID: 177835). The fixes include libthrift 0.17.0 & commons-codec version 1.15
Vulnerability Details
CVEID: CVE-2018-1320
DESCRIPTION: Apache Thrift could allow a remote attacker to bypass security
restrictions, caused by the disablement of an assert used to determine if the
SASL handshake had successfully completed. An attacker could exploit this
vulnerability to bypass SASL negotiation isComplete validation in the
org.apache.thrift.transport.TSaslTransport class.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
155199 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2019-0205
DESCRIPTION: Apache Thrift is vulnerable to a denial of service, caused by an
error when processing untrusted Thrift payload. A remote attacker could exploit
this vulnerability to cause the application to enter into an infinite loop.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
IBM X-Force ID: 177835
DESCRIPTION: Apache Commons Codec could allow a remote attacker to obtain
sensitive information, caused by the improper validation of input. An attacker
could exploit this vulnerability using a method call to obtain sensitive
information.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
177835 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
+-------------------+--------------------+
|Affected Product(s)|Version(s) |
+-------------------+--------------------+
|IBM Integration Bus|10.1 |
+-------------------+--------------------+
|IBM Integration Bus|10.0.0.0 - 10.0.0.26|
+-------------------+--------------------+
Remediation/Fixes
IBM strongly recommends addressing the vulnerability/vulnerabilities now by
applying the appropriate fix to IBM Integration Bus
+-----------+----------+-------+----------------------------------------------+
|Product(s) |Version(s)|APAR |Remediation / Fix |
+-----------+----------+-------+----------------------------------------------+
| | | |Interim fix for libthrift APAR (IT43354) & |
|IBM | |IT43354|commons-codec (IT43355) is available to apply |
|Integration|v10.1 |/ |to v10.1 from |
|Bus | |IT43355| |
| | | |IBM Fix Central |
+-----------+----------+-------+----------------------------------------------+
| | | |Interim fix for libthrift APAR (IT43354) & |
|IBM |v10.0.0.0 |IT43354|commons-codec (IT43355) is available to apply |
|Integration|- |/ |to v10.0.0.26 from |
|Bus |v10.0.0.26|IT43355| |
| | | |IBM Fix Central |
+-----------+----------+-------+----------------------------------------------+
Workarounds and Mitigations
None
Change History
10 Mar 2023: Initial Publication
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to
address potential vulnerabilities, IBM periodically updates the record of
components contained in our product offerings. As part of that effort, if IBM
identifies previously unidentified packages in a product/service inventory, we
address relevant vulnerabilities regardless of CVE date. Inclusion of an older
CVEID does not demonstrate that the referenced product has been used by IBM
since that date, nor that IBM was aware of a vulnerability as of that date. We
are making clients aware of relevant vulnerabilities as we become aware of
them. "Affected Products and Versions" referenced in IBM Security Bulletins are
intended to be only products and versions that are supported by IBM and have
not passed their end-of-support or warranty date. Thus, failure to reference
unsupported or extended-support products and versions in this Security Bulletin
does not constitute a determination by IBM that they are unaffected by the
vulnerability. Reference to one or more unsupported versions in this Security
Bulletin shall not create an obligation for IBM to provide fixes for any
unsupported or extended-support products or versions.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZB0qsckNZI30y1K9AQhXCxAAi5vIJo7+h+noXZI7aTa/+yDRNbna01DY
Vy01wCTbRCXMKs42KaqkVlN4sgJjS4iwHOL7jeFnABhJx1CyTgLq2ryPf7XzG3md
aB6Z+7/pMHkO7lmDmD+wQeSxOjsbfwaPfC1U0FfZRVct3izIcRLbmXHGuwqwE5Z5
sJji7gADMs+Lltd4e6Pb64y2CcHzuE2DAHpVz/FUoPshnQJkbSrzCsurLgvmVmMC
1UMaBmXJ0SCyCmy4ueE8QOhdHNXiQKpyIDvJR6u1zKVOxIld4oIuodEBvVRlrdGm
xzh1iS1Y2BPE8iBHMZ3UA0nX6jwQgfDIvEcjun3Cc33SZElCH1fgsYetr9nLuswz
G5Xt47m6C+2rV0FtDi8TlenzUwR06TAdJjG5suKtpzojMaupdsrOPayzBf0fvMgK
uAbz0FebhcVIHgY9m4rI7XxNwL1sJTqWiPxLjLK1eanRe3sc2lnBDTbA3fZu+tQy
9PRdPsoNqx6i4OhiLrLPmz1yytQBXtRnBEIuHXZ3JkyVvT9freICmNwNUU2JCfWC
ccqbbTcbtVe3HyNTdsb+3BpjQL+vt0mHWDeDzG9ECy35o7xcThBnm8+3W8pzkG2z
RjYQuqLnOy8CHCJBIYzpUnxGQg06G9NbwKAA1jmvxoAWOE+LE3BnuBhQ7q8R4aBe
gu0AtulKzco=
=Msub
-----END PGP SIGNATURE-----