cnvd - cnvd-2019-07071

CNVD-2019-07071

Vulnerability from cnvd - Published: 2019-03-14

Title

Micro Focus Enterprise Developer拒绝服务漏洞

Description

Micro Focus Enterprise Developer和Enterprise Server都是英国Micro Focus公司的产品。Micro Focus Enterprise Developer是一套用于大型机的集成开发环境。Enterprise Server是一套大型机程序生产部署平台。 Micro Focus Enterprise Developer存在拒绝服务漏洞，该漏洞源于未能正确处理HTTP请求，攻击者可通过空指针引用利用该漏洞造成拒绝服务。

Severity

中

Patch Name

Micro Focus Enterprise Developer拒绝服务漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://community.microfocus.com/microfocus/mainframe_solutions/enterprise_server/w/knowledge_base/29624/enterprise-server-security-fix-october-2018

Reference

https://nvd.nist.gov/vuln/detail/CVE-2018-12469

Impacted products

Name
['Micro Focus Enterprise Developer and Enterprise Server <=2.3 Update 2', 'Micro Focus Enterprise Developer and Enterprise Server 3.0.，<3.0 Patch Update 12', 'Micro Focus Enterprise Developer and Enterprise Server 4.0.，<4.0 Patch Update 2']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-12469",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12469"
    }
  },
  "description": "Micro Focus Enterprise Developer\u548cEnterprise Server\u90fd\u662f\u82f1\u56fdMicro Focus\u516c\u53f8\u7684\u4ea7\u54c1\u3002Micro Focus Enterprise Developer\u662f\u4e00\u5957\u7528\u4e8e\u5927\u578b\u673a\u7684\u96c6\u6210\u5f00\u53d1\u73af\u5883\u3002Enterprise Server\u662f\u4e00\u5957\u5927\u578b\u673a\u7a0b\u5e8f\u751f\u4ea7\u90e8\u7f72\u5e73\u53f0\u3002\n\nMicro Focus Enterprise Developer\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u80fd\u6b63\u786e\u5904\u7406HTTP\u8bf7\u6c42\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u7a7a\u6307\u9488\u5f15\u7528\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002",
  "discovererName": "Tim Thurlings",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://community.microfocus.com/microfocus/mainframe_solutions/enterprise_server/w/knowledge_base/29624/enterprise-server-security-fix-october-2018",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-07071",
  "openTime": "2019-03-14",
  "patchDescription": "Micro Focus Enterprise Developer\u548cEnterprise Server\u90fd\u662f\u82f1\u56fdMicro Focus\u516c\u53f8\u7684\u4ea7\u54c1\u3002Micro Focus Enterprise Developer\u662f\u4e00\u5957\u7528\u4e8e\u5927\u578b\u673a\u7684\u96c6\u6210\u5f00\u53d1\u73af\u5883\u3002Enterprise Server\u662f\u4e00\u5957\u5927\u578b\u673a\u7a0b\u5e8f\u751f\u4ea7\u90e8\u7f72\u5e73\u53f0\u3002\r\n\r\nMicro Focus Enterprise Developer\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u80fd\u6b63\u786e\u5904\u7406HTTP\u8bf7\u6c42\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u7a7a\u6307\u9488\u5f15\u7528\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Micro Focus Enterprise Developer\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Micro Focus Enterprise Developer and Enterprise Server \u003c=2.3 Update 2",
      "Micro Focus Enterprise Developer and Enterprise Server 3.0.*\uff0c\u003c3.0 Patch Update 12",
      "Micro Focus Enterprise Developer and Enterprise Server 4.0.*\uff0c\u003c4.0 Patch Update 2"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2018-12469",
  "serverity": "\u4e2d",
  "submitTime": "2018-10-16",
  "title": "Micro Focus Enterprise Developer\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

CVE-2018-12469 (GCVE-0-2018-12469)

Vulnerability from cvelistv5 – Published: 2018-10-12 13:00 – Updated: 2024-09-16 19:46

Summary

Incorrect handling of an invalid value for an HTTP request parameter by Directory Server (aka Enterprise Server Administration web UI) in Micro Focus Enterprise Developer and Enterprise Server 2.3 Update 2 and earlier, 3.0 before Patch Update 12, and 4.0 before Patch Update 2 causes a null pointer dereference (CWE-476) and subsequent denial of service due to process termination.

Severity ?

No CVSS data available.

CWE

CWE-476 - NULL Pointer Dereference (CWE-476)

Assigner

microfocus

References

URL

Tags

https://community.microfocus.com/microfocus/mainf…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Micro Focus	Micro Focus Enterprise Developer, Micro Focus Enterprise Server	Affected: All versions before 3.0 Patch Update 12, 4.0 Patch Update 2, 5.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T08:38:05.945Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://community.microfocus.com/microfocus/mainframe_solutions/enterprise_server/w/knowledge_base/29624/enterprise-server-security-fix-october-2018"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Micro Focus Enterprise Developer, Micro Focus Enterprise Server",
          "vendor": "Micro Focus",
          "versions": [
            {
              "status": "affected",
              "version": "All versions before 3.0 Patch Update 12, 4.0 Patch Update 2, 5.0"
            }
          ]
        }
      ],
      "datePublic": "2018-10-04T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Incorrect handling of an invalid value for an HTTP request parameter by Directory Server (aka Enterprise Server Administration web UI) in Micro Focus Enterprise Developer and Enterprise Server 2.3 Update 2 and earlier, 3.0 before Patch Update 12, and 4.0 before Patch Update 2 causes a null pointer dereference (CWE-476) and subsequent denial of service due to process termination."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "NULL Pointer Dereference (CWE-476)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-06T16:15:44",
        "orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
        "shortName": "microfocus"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://community.microfocus.com/microfocus/mainframe_solutions/enterprise_server/w/knowledge_base/29624/enterprise-server-security-fix-october-2018"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@microfocus.com",
          "DATE_PUBLIC": "2018-10-04T00:00:00",
          "ID": "CVE-2018-12469",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Micro Focus Enterprise Developer, Micro Focus Enterprise Server",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions before 3.0 Patch Update 12, 4.0 Patch Update 2, 5.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Micro Focus"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Incorrect handling of an invalid value for an HTTP request parameter by Directory Server (aka Enterprise Server Administration web UI) in Micro Focus Enterprise Developer and Enterprise Server 2.3 Update 2 and earlier, 3.0 before Patch Update 12, and 4.0 before Patch Update 2 causes a null pointer dereference (CWE-476) and subsequent denial of service due to process termination."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "NULL Pointer Dereference (CWE-476)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://community.microfocus.com/microfocus/mainframe_solutions/enterprise_server/w/knowledge_base/29624/enterprise-server-security-fix-october-2018",
              "refsource": "CONFIRM",
              "url": "https://community.microfocus.com/microfocus/mainframe_solutions/enterprise_server/w/knowledge_base/29624/enterprise-server-security-fix-october-2018"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
    "assignerShortName": "microfocus",
    "cveId": "CVE-2018-12469",
    "datePublished": "2018-10-12T13:00:00Z",
    "dateReserved": "2018-06-15T00:00:00",
    "dateUpdated": "2024-09-16T19:46:30.802Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-07071

CVE-2018-12469 (GCVE-0-2018-12469)

Tags

Sightings

Nomenclature