IBM Application Performance Management could allow a remote attacker to induce the application to perform server-side DNS lookups of arbitrary domain names.
CVEID: CVE-2019-4131 DESCRIPTION: IBM Application Performance Management could allow a remote attacker to induce the application to perform server-side DNS lookups of arbitrary domain names.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158270> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
IBM Cloud Application Performance Management, Base Private 8.1.4
IBM Cloud Application Performance Management, Advanced Private 8.1.4
Product | Product VRMF | Remediation |
---|
IBM Cloud Application Performance Management, Base Private
IBM Cloud Application Performance Management, Advanced Private
| 8.1.4 |
The vulnerabilities can be remediated by applying the following 8.1.4.0-IBM-APM-SERVER-IF0008 or later server patch to the system where the Cloud APM server is installed: https://www.ibm.com/support/docview.wss?uid=ibm10874776
The 8.1.4.0-IBM-APM-SERVER-IF0008 or later server interim fix prevents the DNS lookups for requests to the apmui, oidc, and uviews services of the Cloud APM server. To prevent server-side DNS lookups from occurring on requests to the Cloud APM server min and server1 services, follow the instructions in the the following Cloud APM Knowledge Center topics:
<https://www.ibm.com/support/knowledgecenter/SSHLNR_8.1.4/com.ibm.pm.doc/install/config_server_virtualhosts.htm>
<https://www.ibm.com/support/knowledgecenter/SSHLNR_8.1.4/com.ibm.pm.doc/install/admin_server_virtualhosts.htm>
None
CPE | Name | Operator | Version |
---|---|---|---|
tivoli monitoring | eq | 8.1.4 |