Release Date:

17th June, 2019

Overview:

Directories containing Jazz Agent data were found to be unprotected on the first run of the Jazz Agent. This could allow an attacker to modify data sent to the Jazz Infrastructure.

Affected Products:

• All Jazz Agents below version 4.0.0 on Linux and Mac.

Unaffected Products:

• Jazz Infrastructure, Jazz Agents on Windows, and Jazz Agents above and including version 4.0.0.

Resolution:

This issue is fixed in Jazz Agent 4.0.0.

It is strongly recommended that all customers ensure the Jazz Agent has been restarted after the first installation on all nodes.

An upgrade to Jazz Agent 4.0.0 will also fix this issue.

Vulnerability Information:

JAZZ-187 allows an unprivileged user to read and modify the data sent by the Jazz Agent to the Jazz Infrastructure if the Agent has not been restarted since installation. It would not be possible to read or modify data already present in the Jazz Infrastructure.

• CVE: pending.
• CVSSv3 score: 9.3.
• CVSS vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:W/RC:R/CR:H/IR:H/AR:H

Acknowledgments:

Issue found internally by Jazz Networks.

Disclosure Timeline:

• 01/05/2019 Issue found internally by Jazz Networks.
• 02/05/2019 Root cause established.
• 08/05/2019 Fix identified.
• 17/06/2019 Patched Jazz Agent released.
• 17/06/2019 Vulnerability publicly disclosed.