Vulnerability CVE-2019-3885

Vulnerability Name:

CVE-2019-3885 (CCN-159857)

Assigned:

2019-04-17

Published:

2019-04-17

Updated:

2019-05-27

Summary:

A use-after-free flaw was found in pacemaker up to and including version 2.0.1 which could result in certain sensitive information to be leaked via the system logs.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

3.3 Low (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
2.9 Low (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-416

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2019-3885

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2019:1400

Source: BID
Type: Third Party Advisory, VDB Entry
108036

Source: REDHAT
Type: UNKNOWN
RHSA-2019:1278

Source: REDHAT
Type: UNKNOWN
RHSA-2019:1279

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3885

Source: XF
Type: UNKNOWN
pacemaker-cve20193885-info-disc(159857)

Source: CCN
Type: pacemaker GIT Repository
High: cumulative patchset to fix CVE-2019-3885, CVE-2018-16877, CVE-2018-16878 + additional unmasked null pointer deref #1749

Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/ClusterLabs/pacemaker/pull/1749

Source: FEDORA
Type: UNKNOWN
FEDORA-2019-e71f6f36ac

Source: FEDORA
Type: UNKNOWN
FEDORA-2019-b502250ba4

Source: FEDORA
Type: Third Party Advisory
FEDORA-2019-e4c8de3fb7

Source: CCN
Type: oss-sec Mailing List, Wed, 17 Apr 2019 15:10:23 +0530
3 pacemaker security flaws

Source: UBUNTU
Type: Third Party Advisory
USN-3952-1

Source: CCN
Type: IBM Security Bulletin 6382912 (MQ)
IBM MQ is affected by multiple vulnerabilities in Pacemaker

Source: CCN
Type: IBM Security Bulletin 6388650 (MQ Appliance)
IBM MQ Appliance is affected by Pacemaker vulnerabilities (CVE-2018-16878, CVE-2018-16877, CVE-2019-3885)

Source: CCN
Type: IBM Security Bulletin 6558082 (WebSphere Cast Iron)
WebSphere Cast Iron and App Connect Professional are affected by vulnerabilities in Pacemaker, ImageMagick, gd-libgd, libxslt, cURL libcurl , Ghostscript.

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-3885

Vulnerable Configuration:

Configuration 1:

cpe:/a:clusterlabs:pacemaker:*:*:*:*:*:*:*:* (Version <= 2.0.1)

Configuration 2:

cpe:/o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*

OR cpe:/o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:30:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 3:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 4:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration RedHat 5:

cpe:/a:redhat:enterprise_linux:8::highavailability:*:*:*:*:*

Configuration RedHat 6:

cpe:/a:redhat:enterprise_linux:8::resilientstorage:*:*:*:*:*

Configuration CCN 1:

cpe:/a:clusterlabs:pacemaker:2.0.1:*:*:*:*:*:*:*

AND

cpe:/a:ibm:websphere_cast_iron:7.5.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:app_connect:7.5.2.0:*:*:*:professional:*:*:*

OR cpe:/a:ibm:mq_appliance:9.1.0.0:*:*:*:continuous_delivery:*:*:*

OR cpe:/a:ibm:mq_appliance:9.1.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:mq_appliance:9.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:mq_appliance:9.1.0.2:*:*:*:continuous_delivery:*:*:*

OR cpe:/a:ibm:mq_appliance:9.1.2:*:*:*:continuous_delivery:*:*:*

OR cpe:/a:ibm:mq:9.1.0:*:*:*:continuous_delivery:*:*:*

OR cpe:/a:ibm:mq_appliance:9.1.0.3:*:*:*:continuous_delivery:*:*:*

OR cpe:/a:ibm:mq_appliance:9.1.3:*:*:*:continuous_delivery:*:*:*

OR cpe:/a:ibm:mq_appliance:9.1.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:mq_appliance:9.1.4:*:*:*:continuous_delivery:*:*:*

OR cpe:/a:ibm:mq_appliance:9.1.5:*:*:*:continuous_delivery:*:*:*

OR cpe:/a:ibm:mq:9.2.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20193885	V	CVE-2019-3885	2022-09-02
oval:org.opensuse.security:def:6346	P	Security update for libEMF (Moderate) (in QA)	2022-08-29
oval:org.opensuse.security:def:19	P	btrfsmaintenance-0.4.2-1.11 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:6324	P	Security update for libreoffice (Moderate)	2022-04-04
oval:org.opensuse.security:def:112753	P	libpacemaker-devel-2.1.0+20210816.c6a4f6e6c-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:10443	P	Security update for SDL2 (Important) (in QA)	2022-01-12
oval:org.opensuse.security:def:7297	P	Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP3) (Important)	2021-12-15
oval:org.opensuse.security:def:10375	P	Security update for mariadb (Moderate)	2021-12-06
oval:org.opensuse.security:def:4235	P	Security update for wireshark (Moderate)	2021-12-06
oval:org.opensuse.security:def:10367	P	Security update for java-1_8_0-openjdk (Important)	2021-11-23
oval:org.opensuse.security:def:10666	P	Security update for the Linux Kernel (Important)	2021-11-19
oval:org.opensuse.security:def:4162	P	Security update for flatpak (Important)	2021-10-20
oval:org.opensuse.security:def:7275	P	Security update for the Linux Kernel (Live Patch 1 for SLE 15 SP3) (Important)	2021-10-12
oval:org.opensuse.security:def:106225	P	libpacemaker-devel-2.1.0+20210816.c6a4f6e6c-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:6454	P	Security update for openssl-1_0_0 (Important)	2021-08-24
oval:org.opensuse.security:def:4149	P	Security update for openexr (Important)	2021-08-20
oval:org.opensuse.security:def:67542	P	Security update for java-1_8_0-openjdk (Important)	2021-08-20
oval:org.opensuse.security:def:13997	P	pam-modules-12.1-23.12 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13975	P	libvte9-0.28.2-19.7 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:10688	P	Security update for MozillaThunderbird (Important)	2021-07-22
oval:org.opensuse.security:def:4141	P	Security update for caribou (Important)	2021-07-20
oval:org.opensuse.security:def:4204	P	Security update for MozillaFirefox (Important)	2021-07-19
oval:org.opensuse.security:def:6473	P	Security update for the Linux Kernel (Important)	2021-06-28
oval:org.opensuse.security:def:13337	P	libXfixes3-32bit-5.0.1-3.53 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:70895	P	ecryptfs-utils-111-2.31 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:13315	P	gv-3.7.4-1.36 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:13271	P	clamav-0.98.4-1.22 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11326	P	java-1_7_0-openjdk-plugin-1.5.1-1.13 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:13324	P	java-1_7_0-openjdk-1.7.0.6-33.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11348	P	libXvMC1-1.0.8-3.57 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:70782	P	Security update for MozillaThunderbird (Moderate)	2021-06-04
oval:org.opensuse.security:def:5043	P	Security update for curl (Moderate)	2021-05-26
oval:org.opensuse.security:def:4383	P	Security update for the Linux Kernel (Live Patch 7 for SLE 12 SP5) (Important)	2021-04-07
oval:org.opensuse.security:def:10675	P	Security update for evolution-data-server (Moderate)	2021-03-24
oval:org.opensuse.security:def:10397	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:6316	P	Security update for ImageMagick (Moderate)	2021-02-25
oval:org.opensuse.security:def:10599	P	Security update for MozillaThunderbird (Important)	2021-01-29
oval:org.opensuse.security:def:5021	P	Security update for openldap2 (Moderate)	2021-01-14
oval:org.opensuse.security:def:4369	P	Security update for the Linux Kernel (Live Patch 8 for SLE 12 SP5) (Important)	2020-12-07
oval:org.opensuse.security:def:13152	P	python-cryptography-1.3.1-7.13.4 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:96504	P	libpacemaker-devel-2.0.1+20190417.13d370ca9-1.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13090	P	libvirt-5.1.0-11.10 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:12805	P	libpacemaker3-1.1.21+20190809.bf34b44fa-1.17 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:4026	P	libpacemaker-devel-1.1.21+20190809.bf34b44fa-1.17 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13021	P	libmicrohttpd10-0.9.30-5.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13171	P	rtkit-0.11_git201205151338-8.14 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:16862	P	libpacemaker-devel-1.1.21+20190809.bf34b44fa-1.17 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13137	P	perl-Archive-Zip-1.34-3.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13013	P	libksba8-1.3.0-23.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:89539	P	libpacemaker-devel-2.0.1+20190417.13d370ca9-1.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13043	P	libpcre1-32bit-8.39-8.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13246	P	apache2-mod_wsgi-4.4.13-2.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:103194	P	libpacemaker-devel-2.0.1+20190417.13d370ca9-1.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:4263	P	Security update for the Linux Kernel (Live Patch 2 for SLE 15) (Important)	2020-12-02
oval:org.opensuse.security:def:6439	P	Security update for java-1_8_0-openjdk (Important)	2020-12-02
oval:org.opensuse.security:def:4379	P	Security update for the Linux Kernel (Important)	2020-12-02
oval:org.opensuse.security:def:4324	P	Security update for the Linux Kernel (Live Patch 16 for SLE 15) (Important)	2020-12-02
oval:org.opensuse.security:def:4247	P	Security update for the Linux Kernel (Important)	2020-12-02
oval:org.opensuse.security:def:4376	P	Security update for the Linux Kernel (Live Patch 16 for SLE 15) (Important)	2020-12-02
oval:org.opensuse.security:def:4344	P	Security update for the Linux Kernel (Live Patch 12 for SLE 15) (Important)	2020-12-02
oval:org.opensuse.security:def:10624	P	ant on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17765	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:18887	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:6624	P	gstreamer on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17807	P	Security update for libgcrypt (Moderate)	2020-12-01
oval:org.opensuse.security:def:6606	P	gd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:18126	P	Security update for ImageMagick (Important)	2020-12-01
oval:org.opensuse.security:def:10524	P	libnettle-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:18913	P	Security update for pacemaker (Important)	2020-12-01
oval:org.opensuse.security:def:6548	P	MozillaFirefox on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17980	P	Security update for libquicktime (Moderate)	2020-12-01
oval:org.opensuse.security:def:18249	P	Security update for php7 (Moderate)	2020-12-01
oval:org.opensuse.security:def:10490	P	libcurl-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6637	P	hyper-v on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17892	P	Security update for postgresql94 (Important)	2020-12-01
oval:org.opensuse.security:def:18215	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:18158	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:64108	P	Security update for ucode-intel (Moderate)	2020-12-01
oval:org.opensuse.security:def:6392	P	libjpeg-turbo on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6615	P	gnome-keyring on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17773	P	Security update for glibc (Moderate)	2020-12-01
oval:org.opensuse.security:def:6573	P	cracklib on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:18016	P	Security update for dovecot22 (Moderate)	2020-12-01
oval:org.opensuse.security:def:10505	P	libid3tag-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64195	P	libpacemaker-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:67442	P	Security update for SUSE Manager Proxy 4.1 (Moderate)	2020-12-01
oval:org.opensuse.security:def:17949	P	Security update for mariadb (Important)	2020-12-01
oval:org.opensuse.security:def:18227	P	Security update for util-linux (Important)	2020-12-01
oval:com.redhat.rhsa:def:20191278	P	RHSA-2019:1278: pacemaker security update (Important)	2019-05-27
oval:com.redhat.rhsa:def:20191279	P	RHSA-2019:1279: pacemaker security and bug fix update (Important)	2019-05-27
oval:org.opensuse.security:def:125062	P	Security update for pacemaker (Important)	2019-04-26
oval:org.opensuse.security:def:125870	P	Security update for pacemaker (Important)	2019-04-26
oval:com.ubuntu.xenial:def:201938850000000	V	CVE-2019-3885 on Ubuntu 16.04 LTS (xenial) - low.	2019-04-18
oval:com.ubuntu.cosmic:def:20193885000	V	CVE-2019-3885 on Ubuntu 18.10 (cosmic) - low.	2019-04-18
oval:com.ubuntu.bionic:def:20193885000	V	CVE-2019-3885 on Ubuntu 18.04 LTS (bionic) - low.	2019-04-18
oval:com.ubuntu.cosmic:def:201938850000000	V	CVE-2019-3885 on Ubuntu 18.10 (cosmic) - low.	2019-04-18
oval:com.ubuntu.xenial:def:20193885000	V	CVE-2019-3885 on Ubuntu 16.04 LTS (xenial) - low.	2019-04-18
oval:com.ubuntu.bionic:def:201938850000000	V	CVE-2019-3885 on Ubuntu 18.04 LTS (bionic) - low.	2019-04-18
oval:com.ubuntu.disco:def:201938850000000	V	CVE-2019-3885 on Ubuntu 19.04 (disco) - low.	2019-04-18
oval:com.ubuntu.trusty:def:20193885000	V	CVE-2019-3885 on Ubuntu 14.04 LTS (trusty) - low.	2019-04-18

BACK