Medium Severity

IBM Security Bulletin: Java Vulnerability Affects IBM Connect:Direct Web Services (CVE-2018-1890)

Share this post:

There is a vulnerability in IBM® Runtime Environment Java™ Technology Edition, Version 8 that is used by IBM Connect:Direct Web Services. These issues were disclosed as part of the IBM Java SDK updates in March 2019

CVE(s): CVE-2018-1890

Affected product(s) and affected version(s):
IBM Connect:Direct Web Services from version 5.3 to 6.0.0.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10888361
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/152081

More stories

Security Bulletin: Denial of Service vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Protect Operations Center (CVE-2019-4096)

Nov 15, 2019 7:00 pm EST | Medium Severity

CVEID:   CVE-2019-4046 DESCRIPTION:   IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by improper handling of request headers. A remote attacker could exploit this vulnerability to cause the consumption of Memory. IBM X-Force ID: 156242.CVSS Base score: 5.9CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/156242 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) ...read more


Security Bulletin: Multiple vulnerabilities in jackson-databind affect IBM Platform Symphony and IBM Spectrum Symphony

Nov 14, 2019 7:00 pm EST | Medium Severity

CVEID:   CVE-2019-16335 DESCRIPTION:   A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.CVSS Base score: 5.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167205 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID:   CVE-2019-14379 DESCRIPTION:   SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.CVSS Base score: 9.8CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165286 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID:   CVE-2019-14439 DESCRIPTION:   A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.CVSS Base score: 5.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164744 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ...read more


Security Bulletin: Security vulnerabilities affect IBM Cloud Object Storage SDK Java (November 2019 Bulletin)

Nov 14, 2019 7:00 pm EST | Medium Severity

CVEID:   CVE-2019-16335 DESCRIPTION:   A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.CVSS Base score: 5.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167205 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)   CVEID:   CVE-2019-17267 DESCRIPTION:   A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.CVSS Base score: 7.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168514 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)   CVEID:   CVE-2019-16943 DESCRIPTION:   A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.CVSS Base score: 9.8CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168255 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)   CVEID:   CVE-2019-16942 DESCRIPTION:   A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.CVSS Base score: 9.8CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168254 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)   CVEID:   CVE-2019-14540DESCRIPTION:   FasterXML jackson-databind could allow a remote attacker to obtain sensitive information, caused by a polymorphic typing issue in com.zaxxer.hikari.HikariConfig. A remote attacker could exploit this vulnerability to obtain sensitive information.CVSS Base score: 5.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167354 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)   ...read more