High Severity

IBM Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerability (CVE-2018-5391)

Share this post:

IBM has announced a release for IBM Security Identity Governance and Intelligence (IGI) in response to security vulnerability. A vulnerability in the Linux kernel, included in IBM Security Identity Governance and Intelligence (IGI), affects the way the Linux kernel handles reassembly of fragmented IPv4 and IPv6 packets. By sending specially crafted IP fragments with random offsets, a remote attacker could exploit this vulnerability to exhaust all available CPU resources and cause a denial of service.

CVE(s): CVE-2018-5391

Affected product(s) and affected version(s):
IBM Security Identity Governance and Intelligence (IGI) 5.2.4, 5.2.4.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10958679
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148388

More stories

Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Transparent Cloud Tiering

Dec 7, 2019 7:00 pm EST | High Severity

CVEID:   CVE-2019-9514 DESCRIPTION:   Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.CVSS Base score: 7.5CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164640 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID:   CVE-2019-9512 DESCRIPTION:   Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.CVSS Base score: 7.5CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164903 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID:   CVE-2019-9518 DESCRIPTION:   Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.CVSS Base score: 7.5CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164904 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID:   CVE-2019-9515 DESCRIPTION:   Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.CVSS Base score: 7.5CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165181 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ...read more


Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind

Dec 6, 2019 7:01 pm EST | High Severity

CVEID:   CVE-2019-17531 DESCRIPTION:   A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.CVSS Base score: 9.8CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169073 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ...read more


Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind

Dec 6, 2019 7:01 pm EST | High Severity

CVEID:   CVE-2019-16943 DESCRIPTION:   A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.CVSS Base score: 9.8CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168255 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID:   CVE-2019-16942 DESCRIPTION:   A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.CVSS Base score: 9.8CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168254 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ...read more