SB2018122012 - Multiple vulnerabilities in IBM DataPower Gateway
Published: December 20, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 secuirty vulnerabilities.
1) Cross-site request forgery (CVE-ID: CVE-2018-1661)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially specially crafted web page and execute malicious and unauthorized actions transmitted from a user that the website trusts.
2) Input validation error (CVE-ID: CVE-2018-1677)
The vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of full file system. A local attacker can cause a denial of service.
3) Information disclosure (CVE-ID: CVE-2018-1665)
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to weak cryptographic algorithms. A remote attacker can decrypt highly sensitive information.
4) Cross-site scripting (CVE-ID: CVE-2018-1667)
The disclosed vulnerability allows a remote authenticated attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can edit new comments from higher-privileged users, trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
5) Man-in-the-middle attack (CVE-ID: CVE-2018-1663)
The vulnerability allows a remote attacker to conduct MITM attack.
The vulnerability exists due to the failure to properly enable HTTP Strict Transport Security. A remote attacker can use man-in-the-middle techniques and gain access to potentially sensitive information.
6) Denial of service (CVE-ID: CVE-2018-1652)
The vulnerability allows a local unprivileged attacker to cause DoS condition.
The vulnerability exists due to unspecified flaw. A local attacker can cause the service to crash.
Remediation
Install update from vendor's website.
References
- https://exchange.xforce.ibmcloud.com/vulnerabilities/144887
- https://www.ibm.com/support/docview.wss?uid=ibm10744189
- https://exchange.xforce.ibmcloud.com/vulnerabilities/145171
- https://www.ibm.com/support/docview.wss?uid=ibm10744555
- https://www-01.ibm.com/support/docview.wss?uid=ibm10744195
- https://www-01.ibm.com/support/docview.wss?uid=ibm10744209
- https://www-01.ibm.com/support/docview.wss?uid=ibm10740033
- https://www-01.ibm.com/support/docview.wss?uid=ibm10744557