Lucene search

IBM391D51B05B4BF6F125460B450D4898020BFE671CD521DB1F64A64804B7336499

HistoryFeb 01, 2023 - 9:34 p.m.

Security Bulletin: IBM Process Mining is vulnerable to DOS due to Eclipse Jetty CVE-2018-12545

2023-02-0121:34:35

www.ibm.com

ibm process mining

vulnerability

dos

eclipse jetty

cve-2018-12545

upgrade

1.12.0.4

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.041

Percentile

92.3%

JSON

Summary

Eclipse Jetty is used by IBM Process Mining. CVE-2018-12545

Vulnerability Details

CVEID:CVE-2018-12545
**DESCRIPTION:**Eclipse Jetty is vulnerable to a denial of service, caused by the additional CPU and memory allocations required to handle changed settings. By sending either large SETTINGs frames container containing many settings, or many small SETTINGs frames, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161491 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Process Mining	1.12.0.3

Remediation/Fixes

Remediation/Fixes guidance:

Product(s)	Version(s) number and/or range	Remediation/Fix/Instructions
IBM Process Mining	1.12.0.3

Upgrade to version 1.12.0.4

1.Login to PassPortAdvantage

2. Search for
M05JKML Process Mining 1.12.0.4 Server Multiplatform Multilingual

3. Download package

4. Follow install instructions

5. Repeat for M05JJML Process Mining 1.12.0.4 Client Windows Multilingual

| |

Workarounds and Mitigations

None known

Affected configurations

Vulners

Node

ibmcloud_pak_for_automationMatch1.12.0.3

VendorProductVersionCPE
ibmcloud_pak_for_automation1.12.0.3cpe:2.3:a:ibm:cloud_pak_for_automation:1.12.0.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	cloud_pak_for_automation	1.12.0.3	cpe:2.3:a:ibm:cloud_pak_for_automation:1.12.0.3:::::::*

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.041

Percentile

92.3%

JSON

Related for 391D51B05B4BF6F125460B450D4898020BFE671CD521DB1F64A64804B7336499