CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
EPSS
Percentile
95.3%
IBM has provided explicit mitigation for the following Kerberos CVEs. DataPower did not previously provide the conditions necessary to exploit these CVEs. The explicit mitigations provided here protect against possible future changes that might have made them exploitable.
CVEID:CVE-2014-5352
**DESCRIPTION:**MIT krb5 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a double-free error in gss_process_context_token(). An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/100842 for the current score.
CVSS Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CVEID:CVE-2014-4344
**DESCRIPTION:**MIT Kerberos 5 (krb5) is vulnerable to a NULL pointer dereference in the acc_ctx_cont() function within the SPNEGO Acceptor for Continuation Tokens. By sending a specially-crafted request, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/95210 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID:CVE-2015-2695
**DESCRIPTION:**MIT Kerberos is vulnerable to a denial of service, caused by a pointer type error in the GSS-API library. By sending a specially crafted gss_inquire_context() call on a partially-established SPNEGO context, a remote attacker could exploit this vulnerability to cause the process to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/107874 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Product(s) | Version(s) |
---|---|
IBM DataPower Gateway V10CD | 10.0.2.0-10.0.3.0 |
IBM DataPower Gateway 10.0.1 | 10.0.1.0-10.0.1.4 |
IBM DataPower Gateway | 2018.4.1.0-2018.4.1.17 |
Affected Product | Fixed in Version | APAR |
---|---|---|
IBM DataPower Gateway V10CD | 10.0.4.0 | IT37935 |
IBM DataPower Gateway 10.0.1 | 10.0.1.5 | IT37935 |
IBM DataPOwer Gateway 2018.4.1 | 2018.4.1.18 | IT37935 |
None