Security Bulletin
Summary
Multiple vulnerabilities affect IBM Cloud Object Storage SDK Java. These vulnerabilities have been addressed in the latest SDK Java releases.
Vulnerability Details
CVE-ID: CVE-2018-19362
Description: An unspecified error with failure to block the jboss-common-core class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/155093 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVE-ID: CVE-2018-19361
Description: An unspecified error with failure to block the openjpa class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/155092 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVE-ID: CVE-2018-19360
Description: An unspecified error with failure to block the axis2-transport-jms class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/155091 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVE-ID: CVE-2018-1000873
Description: FasterXML jackson-databind is vulnerable to a denial of service, caused by improper input validation by the nanoseconds time value field. By persuading a victim to deserialize specially-crafted input, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/154804 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
| CVE-ID | Affected SDK Releases |
| CVE-2018-19362 | IBM COS SDK Java releases prior to 2.4.2 |
| CVE-2018-19361 | IBM COS SDK Java releases prior to 2.4.2 |
| CVE-2018-19360 | IBM COS SDK Java releases prior to 2.4.2 |
| CVE-2018-1000873 | IBM COS SDK Java releases prior to 2.4.2 |
Remediation/Fixes
| IBM COS SDK Releases | Link to Fix / Fix Availability Target |
| SDK Java 2.4.2 |
https://github.com/IBM/ibm-cos-sdk-java/tree/2.4.2
|
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
28 February 2019
UID
ibm10871810