#VU16639 Information disclosure in IBM DataPower Gateway


Published: 2018-12-13 | Updated: 2018-12-20

Vulnerability identifier: #VU16639

Vulnerability risk: Low

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-1665

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IBM DataPower Gateway
Client/Desktop applications / Software for system administration

Vendor: IBM Corporation

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to weak cryptographic algorithms. A remote attacker can decrypt highly sensitive information.

Mitigation
Install update from vendor's website:

IBM DataPower Gateway 2018.4.1.0 IT26802 Install the fix pack.
IBM DataPower Gateway 7.6.0.11 IT26802 Install the fix pack.
IBM DataPower Gateway 7.5.2.18 IT26802 Install the fix pack.
IBM DataPower Gateway 7.5.1.18 IT26802 Install the fix pack.
IBM DataPower Gateway 7.5.0.19 IT26802 Install the fix pack.

Vulnerable software versions

IBM DataPower Gateway: 7.7.0.0 - 7.7.1.3, 7.5.0.0 - 7.5.2.17, 7.6.0.0 - 7.6.0.10

External links
http://www-01.ibm.com/support/docview.wss?uid=ibm10744195

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM DataPower Gateway