Multiple vulnerabilities in IBM Decision Optimization for IBM Cloud Private for Data (ICP4Data)

Published: 2019-05-11 | Updated: 2023-07-26

Risk	High
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2018-12547 CVE-2019-2426
CWE-ID	CWE-119 CWE-200
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	IBM Decision Optimization for Cloud Pak for Data Server applications / Other server solutions IBM Java SDK Universal components / Libraries / Software for developers
Vendor	IBM Corporation

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Buffer overflow

EUVDB-ID: #VU77337

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-12547

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Decision Optimization for Cloud Pak for Data: before 2.0

IBM Java SDK: before 8.0-5.30

External links

http://www.ibm.com/support/pages/node/876830

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

EUVDB-ID: #VU17050

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-2426

CWE-ID: CWE-200 - Information exposure