Medium Severity

Security Bulletin: A vulnerability in Apache Solr (lucene) affects IBM Operations Analytics – Log Analysis (CVE-2019-4243)

Share this post:

A vulnerability on unrestricted access was addressed by IBM Operations Analytics – Log Analysis.

Affected product(s) and affected version(s):

Affected Product(s) Version(s)
Log Analysis 1.3.1
Log Analysis 1.3.2
Log Analysis 1.3.3
Log Analysis 1.3.4
Log Analysis 1.3.5

Refer to the following reference URLs for remediation and additional vulnerability details:  
Source Bulletin: https://www.ibm.com/support/pages/node/1109721

More stories

Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application and IHS server

Dec 12, 2019 7:00 pm EST | Medium Severity

CVEID:   CVE-2019-0220 DESCRIPTION:   A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.CVSS Base score: 5.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/158948 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID:   CVE-2019-10098 DESCRIPTION:   In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.CVSS Base score: 3.7CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165366 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID:   CVE-2019-10092 DESCRIPTION:   In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.CVSS Base score: 4.7CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165367 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N) CVEID:   CVE-2018-20843 DESCRIPTION:   In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).CVSS Base score: 3.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163073 for the current score.CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVEID:   CVE-2019-4080 DESCRIPTION:   IBM WebSphere Application Server Admin Console 7.5, 8.0, 8.5, and 9.0 is vulnerable to a potential denial of service, caused by improper parameter parsing. A remote attacker could exploit this to consume all available CPU resources. IBM X-Force ID: 157380.CVSS Base score: 6.5CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/157380 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVEID:   CVE-2019-4441 DESCRIPTION:   IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. IBM X-Force ID: 163177.CVSS Base score: 5.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163177 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID:   CVE-2019-4477 DESCRIPTION:   IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a user with access to audit logs to obtain sensitive information, caused by improper handling of command line options. IBM X-Force ID: 163997.CVSS Base score: 5.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163997 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) CVEID:   CVE-2019-4046 DESCRIPTION:   IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by improper handling of request headers. A remote attacker could exploit this vulnerability to cause the consumption of Memory. IBM X-Force ID: 156242.CVSS Base score: 5.9CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/156242 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID:   CVE-2019-4268 DESCRIPTION:   IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 160201.CVSS Base score: 5.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160201 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID:   CVE-2019-4270 DESCRIPTION:   IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin Console is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 160203.CVSS Base score: 5.4CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160203 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVEID:   CVE-2019-4442 DESCRIPTION:   IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9,0 could allow a remote attacker to traverse directories on the file system. An attacker could send a specially-crafted URL request to view arbitrary files on the system but not content. IBM X-Force ID: 163226.CVSS Base score: 4.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163226 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) ...read more


Security Bulletin: A cross site scripting security vulnerability has been identified with Case Builder component in IBM Case Manager (CVE-2019-4426)

Dec 12, 2019 7:00 pm EST | Medium Severity

CVEID:   CVE-2019-4426 DESCRIPTION:   CVSS Base score: 5.4CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/162772 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) ...read more


Security Bulletin: A cross site scripting security vulnerability has been identified with Case Builder component shipped with IBM Business Automation Workflow (CVE-2019-4426)

Dec 12, 2019 7:00 pm EST | Medium Severity

CVEID:   CVE-2019-4426 DESCRIPTION:   Case Builder component shipped with IBM Business Automation Workflow and IBM Case Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.CVSS Base score: 5.4CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/162772 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) ...read more