Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.12.0 ESR + CVE-2020-15664) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0

Security Bulletin

Summary

Synthetic Playback Agent has addressed the following vulnerabilities: CVE-2020-15664, CVE-2020-15663, CVE-2020-15669

Vulnerability Details

CVEID: CVE-2020-15664
DESCRIPTION: Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an attacker induced prompt for extension installation when a malicious Web page has gained access to the InstallTrigger object. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to allow the installation of an unintended malicious extension.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/187349 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID: CVE-2020-15663
DESCRIPTION: Mozilla Firefox could allow a remote attacker to gain elevated privileges on the system, caused by a downgrade attack on the Mozilla Maintenance Service. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute updater.exe from the install location with administrative privileges.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/187348 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID: CVE-2020-15669
DESCRIPTION: Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free when aborting an operation. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/187354 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
APM AM	8.1.4
BAM	1.0
APM SaaS	8.1.4
APM on-premise	8.1.4
ICAM	2019.3.0 - 2020.2.0

Remediation/Fixes

Product Remediation	Fix
APM on-premise	Synthetic Playback Agent 8.1.4 IF12
ICAM	ICAM 2020.2.1

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Change History

28 Aug 2020: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSVJUL","label":"IBM Application Performance Management"},"Component":"Monitoring Agent for Synthetic Playback","Platform":[{"code":"PF016","label":"Linux"}],"Version":"8.1.4","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Tips

Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.12.0 ESR + CVE-2020-15664) hava affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 - 2020.2.0