SB2023032334 - Multiple vulnerabilities in IBM Integration Bus

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023032334

SB2023032334 - Multiple vulnerabilities in IBM Integration Bus

Published: March 23, 2023

Security Bulletin ID SB2023032334
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Security restrictions bypass (CVE-ID: CVE-2018-1320)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to gain access to bypass security restrictions.

The vulnerability exists due to unspecified flaw. A remote attacker can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.


2) Infinite loop (CVE-ID: CVE-2019-0205)

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when processing user-supplied input. A remote attacker can pass malicious input to the application and consume all available system resources or cause denial of service conditions.


Remediation

Install update from vendor's website.

References