Security Bulletin: IBM Security Guardium is affected by an "Apache CXF" jar vulnerability

2021-02-0914:29:58

www.ibm.com

ibm security guardium

apache cxf

vulnerability

denial of service

man-in-the-middle

fix

version 11.1

version 11.2

cve-2017-12624

cve-2018-8039

EPSS

0.007

Percentile

80.4%

JSON

Summary

IBM Security Guardium has fixed this vulnerability

Vulnerability Details

CVEID:CVE-2017-12624
**DESCRIPTION:**Apache CXF is vulnerable to a denial of service. By using a specially crafted message attachment header, a remote attacker could exploit this vulnerability to cause the AX-WS and JAX-RS services stop responding.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/135095 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-8039
**DESCRIPTION:**Apache CXF could allow a remote attacker to conduct a man-in-the-middle attack. The TLS hostname verification does not work correctly with com.sun.net.ssl interface. An attacker could exploit this vulnerability to launch a man-in-the-middle attack.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/145516 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Security Guardium	11.1

IBM Security Guardium| 11.2

Remediation/Fixes

Product	Versions	Fix
IBM Security Guardium	11.1
https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Sec…
IBM Security Guardium	11.2
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Drupal%20in…