Release Date:

28th May, 2019

Overview:

Webhook HTTPS connections are created without validating the certificate of the target system.

Affected Products:

• Jazz Infrastructure versions 4.0.0 - 4.0.10 inclusive.

Unaffected Products:

• All Jazz Agents, and Jazz Infrastructure before 4.0.0 or after 4.0.10.

Resolution:

The issue is now fixed in Jazz Infrastructure 4.0.11.

It is strongly recommended that all on-premise installations running an affected version and that have any webhooks configured, upgrade to the latest release as soon as possible. Releases are available to download through the support portal. Jazz Cloud customers have already been upgraded to the latest version.

it is not possible to upgrade immediately, delete webhooks from the Jazz Infrastructure.

Vulnerability Information:

JAZZ-186 leaves open the possibility for a Man In The Middle (MITM) to read or modify messages sent to configured webhooks.

It would not be possible to alter data held within the Jazz Infrastructure.

• CVE: pending.
• CVSSv3 score: 8.6.
• CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:W/RC:R/CR:H/IR:H/AR:H

Acknowledgments:

Issue found internally by Jazz Networks.

Disclosure Timeline:

• 01/05/2019 Issue found internally by Jazz Networks.
• 02/05/2019 Root cause established.
• 02/05/2019 Fix identified.
• 28/05/2019 Patched Jazz Infrastructure released.
• 28/05/2019 Vulnerability publicly disclosed.