Lucene search

IbmCVE-2020-4325

HistoryApr 02, 2020 - 3:15 p.m.

CVE-2020-4325

2020-04-0215:15:17

CWE-404

ibm

web.nvd.nist.gov

ibm

process federation server

global teams

rest api

thread pool

memory leak

cve-2020-4325

nvd

ibm x-force id 177596

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

32.8%

JSON

The IBM Process Federation Server 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, and 19.0.0.3 Global Teams REST API does not properly shutdown the thread pools that it creates to retrieve Global Teams information from the federated systems. As a consequence, the Java Virtual Machine can’t recover the memory used by those thread pools, which leads to an OutOfMemory exception when the Process Federation Server Global Teams REST API is used extensively. IBM X-Force ID: 177596.

Affected configurations

Nvd

Vulners

Node

ibmcloud_pak_for_automationMatch19.0.3

ibmprocess_federation_serverRange18.0.0.1–19.0.0.3

VendorProductVersionCPE
ibmcloud_pak_for_automation19.0.3cpe:2.3:a:ibm:cloud_pak_for_automation:19.0.3:*:*:*:*:*:*:*
ibmprocess_federation_server*cpe:2.3:a:ibm:process_federation_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	cloud_pak_for_automation	19.0.3	cpe:2.3:a:ibm:cloud_pak_for_automation:19.0.3:::::::*
ibm	process_federation_server	*	cpe:2.3:a:ibm:process_federation_server::::::::

CNA Affected

[
  {
    "product": "Process Federation Server",
    "vendor": "IBM",
    "versions": [
      {
        "status": "affected",
        "version": "18.0.0.1"
      },
      {
        "status": "affected",
        "version": "18.0.0.2"
      },
      {
        "status": "affected",
        "version": "19.0.0.1"
      },
      {
        "status": "affected",
        "version": "19.0.0.2"
      },
      {
        "status": "affected",
        "version": "19.0.0.3"
      }
    ]
  },
  {
    "product": "Automation Workstream Services in Cloud Pak for Automation",
    "vendor": "IBM",
    "versions": [
      {
        "status": "affected",
        "version": "19.0.0.3"
      }
    ]
  }
]

References

exchange.xforce.ibmcloud.com/vulnerabilities/177596

www.ibm.com/support/pages/node/6125403

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

32.8%

JSON

Related for CVE-2020-4325