IBM Support

Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage SDK Java (Feb 2019, updated)

Created by Nimesh Patel on
Published URL:
https://www.ibm.com/support/pages/node/871810
871810

Security Bulletin


Summary

Multiple vulnerabilities affect IBM Cloud Object Storage SDK Java. These vulnerabilities have been addressed in the latest SDK Java releases.

Vulnerability Details

CVE-ID: CVE-2018-19362
Description: An unspecified error with failure to block the jboss-common-core class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score:  https://exchange.xforce.ibmcloud.com/vulnerabilities/155093  for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVE-ID: CVE-2018-19361
Description: An unspecified error with failure to block the openjpa class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score:  https://exchange.xforce.ibmcloud.com/vulnerabilities/155092  for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVE-ID: CVE-2018-19360
Description: An unspecified error with failure to block the axis2-transport-jms class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score:  https://exchange.xforce.ibmcloud.com/vulnerabilities/155091  for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVE-ID: CVE-2018-1000873
Description: FasterXML jackson-databind is vulnerable to a denial of service, caused by improper input validation by the nanoseconds time value field. By persuading a victim to deserialize specially-crafted input, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score:   https://exchange.xforce.ibmcloud.com/vulnerabilities/154804  for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

CVE-ID Affected SDK Releases
CVE-2018-19362 IBM COS SDK Java releases prior to 2.4.2
CVE-2018-19361 IBM COS SDK Java releases prior to 2.4.2
CVE-2018-19360 IBM COS SDK Java releases prior to 2.4.2
CVE-2018-1000873 IBM COS SDK Java releases prior to 2.4.2

Remediation/Fixes

IBM COS SDK Releases Link to Fix / Fix Availability Target
SDK Java 2.4.2
https://github.com/IBM/ibm-cos-sdk-java/tree/2.4.2

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"STXNRM","label":"IBM Cloud Object Storage System"},"Component":"SDK Java","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"SDK Java releases prior to 2.4.2","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
28 February 2019

UID

ibm10871810