Security Bulletin: IBM Security Verify Governance uses components with known vulnerabilities (CVE-2021-22696, CVE-2021-30468, CVE-2020-1954)
Discription

## Summary

Components with the following Known Vulnerabilities have been upgraded in IBM Security Verify Governance.

## Vulnerability Details

** CVEID: **[CVE-2021-22696]()
** DESCRIPTION: **Apache CXF is vulnerable to a denial of service, caused by improper validation of request_uri parameter by the OAuth 2 authorization service. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition on the authorization server.
CVSS Base score: 7.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/199335]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

** CVEID: **[CVE-2021-30468]()
** DESCRIPTION: **Apache CXF is vulnerable to a denial of service, caused by an infinite loop flaw in the JsonMapObjectReaderWriter function. By sending a specially-crafted JSON to a web service, a remote attacker could exploit this vulnerability to consume available CPU resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/203830]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

** CVEID: **[CVE-2020-1954]()
** DESCRIPTION: **Apache CXF is vulnerable to a man-in-the-middle attack, caused by a flaw in JMX Integration. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
CVSS Base score: 5.9
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/178938]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

## Affected Products and Versions

**Affected Product(s)**| **Version(s)**
—|—
IBM Security Verify Governance| 10.0

## Remediation/Fixes

**IBM encourages customers to update their systems promptly.**

**Affected Product(s)**| **Version(s)**| **Fix Availability**
—|—|—
IBM Security Verify Governance| 10.0.1.5| [10.0.1.0-ISS-ISVG-IGVA-FP0005]( “10.0.1.0-ISS-ISVG-IMVA-FP0001” )

## Workarounds and Mitigations

None

##Read More

References

Back to Main
Subscribe for the latest news: