SB2019112508 - Multiple vulnerabilities in IBM SmartCloud Analytics
Published: November 25, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CVE-ID: CVE-2019-4214)
The vulnerability allows a remote attacker to gain access to sensitive information on the target system.
The vulnerability exists due to the affected software does not set the secure attribute on authorization tokens or session cookies. A remote attacker can intercept the transmission and obtain information from the cookie in clear text.
2) Incorrect default permissions (CVE-ID: CVE-2019-4243)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions for files and folders that are set by the application. A local user with access to the system can view contents of files and directories, such as solrconfig.xml or perform disruptive administrator tasks.
3) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2019-4216)
The vulnerability allows a remote attacker to perform host header injection attack.
The vulnerability exists due to improper validation of input. A remote authenticated attacker can abuse the HTTP Host header that could lead to HTTP cache poisoning or firewall bypass.
4) Clickjacking attack (CVE-ID: CVE-2019-4215)
The vulnerability allows a remote attacker to perform clickjacking attack.
The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can trick a victim to visit a malicious website and hijack the victim's click actions.
Remediation
Install update from vendor's website.
References
- https://exchange.xforce.ibmcloud.com/vulnerabilities/159185
- https://www.ibm.com/support/pages/node/1110171
- https://exchange.xforce.ibmcloud.com/vulnerabilities/159517
- https://www.ibm.com/support/pages/node/1109721
- https://exchange.xforce.ibmcloud.com/vulnerabilities/159187
- https://www.ibm.com/support/pages/node/1109745
- https://exchange.xforce.ibmcloud.com/vulnerabilities/159186
- https://www.ibm.com/support/pages/node/1109769