IBM Support

Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 68.12.0 ESR + CVE-2020-15659) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF11 + ICAM2019.3.0 - 2020.2.0

Security Bulletin


Summary

Synthetic Playback Agent has addressed the following vulnerabilities: CVE-2020-15659, CVE-2020-15654, CVE-2020-15653, CVE-2020-15652, CVE-2020-15655, CVE-2020-15658, CVE-2020-15656

Vulnerability Details

CVEID:   CVE-2020-15659
DESCRIPTION:   Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185979 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:   CVE-2020-15654
DESCRIPTION:   Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by an error when a Web site specifying a custom cursor using CSS overlays the user interface. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to lead to a perceived broken state.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185986 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:   CVE-2020-15653
DESCRIPTION:   Mozilla Firefox could allow a remote attacker to bypass security restrictions. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using noopener links to bypass iframe sandbox with the allow-popups flag.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185982 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:   CVE-2020-15652
DESCRIPTION:   Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the leaking of redirect targets when loading scripts in a worker. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to obtain the result of a cross-origin redirect.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185981 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID:   CVE-2020-15655
DESCRIPTION:   Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the use of extension APIS to bypass the Same Origin Policy. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to bypass security restrictions.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185980 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:   CVE-2020-15658
DESCRIPTION:   Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the failure to properly take care of special characters by the code leading to an attacker being able to cut off the file ending at an earlier position. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to download a different file type than shown in the dialog.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185984 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:   CVE-2020-15656
DESCRIPTION:   Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion for special arguments in IonMonkey. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185983 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)Version(s)
APM AM8.1.4
BAM1.0
APM SaaS8.1.4
APM on-premise8.1.4
ICAM2019.3.0 - 2020.2.0

Remediation/Fixes

Product RemediationFix
APM on-premiseSynthetic Playback Agent 8.1.4 IF12
ICAMICAM 2020.2.1

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Change History

04 Aug 2020: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document Location

Worldwide

[{"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Product":{"code":"SSVJUL","label":"IBM Application Performance Management"},"Component":"Monitoring Agent for Synthetic Playback","Platform":[{"code":"PF016","label":"Linux"}],"Version":"8.1.4","Edition":""}]

Document Information

Modified date:
27 September 2020

UID

ibm16338509