CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
6.5 | $0-$5k | 0.00 |
A vulnerability classified as critical was found in IBM DB2 9.5/9.7/9.8/10.1/10.5 (Database Software). Affected by this vulnerability is some unknown functionality of the component SSL Message Handler. The manipulation with an unknown input leads to a resource management vulnerability. The CWE definition for the vulnerability is CWE-399. As an impact it is known to affect availability. The summary by CVE is:
The Reverse Proxy feature in IBM Global Security Kit (aka GSKit) in IBM Security Access Manager (ISAM) for Web 7.0 before 7.0.0-ISS-SAM-IF0006 and 8.0 before 8.0.0.3-ISS-WGA-IF0002 allows remote attackers to cause a denial of service (infinite loop) via crafted SSL messages.
The weakness was presented 05/26/2014 as swg21671732 / Reference 1671732 as confirmed advisory (Website). The advisory is shared at www-01.ibm.com. This vulnerability is known as CVE-2014-0963 since 01/06/2014. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Neither technical details nor an exploit are publicly available.
The vulnerability scanner Nessus provides a plugin with the ID 80482 (IBM Security Directory Server < 6.1.0.61 / 6.2.0.36 / 6.3.0.30 / 6.3.1.2 with GSKit < 7.0.4.50 / 8.0.50.20 SSL CPU Utilization DoS), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows. The commercial vulnerability scanner Qualys is able to test this issue with plugin 19986 (IBM DB2 Multiple Vulnerabilities (swg21633303)).
Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (92844) and Tenable (80482). Additional details are provided at www-304.ibm.com. See 13392, 13394, 13395 and 68134 for similar entries.
Affected
- IBM DB2 9.5/9.7/9.8/10.1/10.5
- IBM Security Network Protection 5.1/5.1.1/5.1.2/5.1.2.1/5.2
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.5VulDB Meta Temp Score: 6.5
VulDB Base Score: 7.5
VulDB Temp Score: 6.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Resource managementCWE: CWE-399 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Status: Unproven
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Nessus ID: 80482
Nessus Name: IBM Security Directory Server < 6.1.0.61 / 6.2.0.36 / 6.3.0.30 / 6.3.1.2 with GSKit < 7.0.4.50 / 8.0.50.20 SSL CPU Utilization DoS
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
Exposure Time: 🔍
Timeline
01/06/2014 🔍05/06/2014 🔍
05/08/2014 🔍
05/26/2014 🔍
05/26/2014 🔍
05/27/2014 🔍
05/29/2014 🔍
06/18/2014 🔍
08/12/2014 🔍
01/13/2015 🔍
01/27/2015 🔍
06/20/2021 🔍
Sources
Vendor: ibm.comAdvisory: swg21671732 / Reference 1671732
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2014-0963 (🔍)
IAVM: 🔍
X-Force: 92844 - IBM Security Access Manager for Web High CPU utilization, High Risk
SecurityTracker: 1030707 - IBM Security Network Protection SSL Processing Flaw Lets Remote Users Deny Service
Vulnerability Center: 48248 - IBM Security Access Manager for Web and Informix Server Remote DoS Vulnerability via SSL Messages, High
SecurityFocus: 67238 - IBM Security Access Manager for Web CVE-2014-0963 Remote Denial of Service Vulnerability
Secunia: 58519 - IBM DB2 / DB2 Connect Multiple Vulnerabilities, Less Critical
Misc.: 🔍
See also: 🔍
Entry
Created: 05/29/2014 22:13Updated: 06/20/2021 13:42
Changes: 05/29/2014 22:13 (85), 06/18/2017 09:37 (3), 06/20/2021 13:42 (3)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.