Security Advisory

IBM family of products (IBM Cloud Object System, IBM Cloud Pak System, etc.) security update advisory

  • Feb 16 2024

Overview

 

An update has been made available to address vulnerabilities in the IBM family of products. users of affected versions are encouraged to update to the latest version.

 

Affected Products

 

CVE-2023-20883, CVE-2016-1000027

  • IBM Sterling Control Center 6.3.0.0

 

CVE-2022-46337

  • IBM Cloud Pak System 2.3.1.1, 2.3.20, 2.3.3.7 (power) versions
  • IBM Cloud Pak System 2.3.3.0 through 2.3.3.6 (intel) versions

 

CVE-2023-36478, CVE-2023-44487, CVE-2023-41900, CVE-2023-40167, CVE-2023-36479, CVE-2023-34462, CVE-2023-4807, CVE-2023-46849, CVE-2023-46850, CVE-2023-5363

  • IBM MaaS360 Cloud Extender Agent 3.000.250.023 and earlier versions
  • IBM MaaS360 Mobile Enterprise Gateway 3.000.300 and earlier versions
  • IBM MaaS360 VPN 3.000.200 and earlier versions
     

CVE-2023-45871

  • IBM Cloud Object System 3.18.0.21 and earlier versions

 

Resolved Vulnerabilities

 

Remote code execution vulnerability due to denial of service in Spring Boot and Spring Framework in the IBM Sterling Control Center product (CVE-2023-20883, CVE-2016-1000027)
Security restriction bypass vulnerability due to LDAP injection of authenticator in Apache Derby in IBM Cloud Pak products (CVE-2022-46337)
Denial of service vulnerability due to an integer overflow and buffer allocation in MetaDataBuilder.checkSize (CVE-2023-36478)
Denial of service vulnerability due to a multi-stream handling flaw in the HTTP/2 protocol (CVE-2023-44487)
Security restriction bypass vulnerability due to improper authentication validation when using LoginService (CVE-2023-41900)
HTTP request smuggling vulnerability due to improper parsing of HTTP/1 request headers (CVE-2023-40167)
vulnerability due to malformed command quoting flaw in org.eclipse.jetty.servlets.CGI Servlet (CVE-2023-36479)
Denial of Service Vulnerability due to a flaw in the TLS handshake in the Netty SniHandler class that allocated up to 16 MB of heap for each channel (CVE-2023-34462)
Denial of service vulnerability due to a state corruption flaw in the POLY1305 message authentication code (MAC) implementation when running on modern X86_64 processors that support the OpenSSL AVX512-IFMA instruction (CVE-2023-4807)
Denial of service vulnerability due to an OpenVPN zero flaw (CVE-2023-46849)
Arbitrary code execution vulnerability due to an OpenVPN use-after-free flaw (CVE-2023-46850)
Sensitive information disclosure vulnerability in OpenSSL due to incorrect cipher key and IV length handling during some symmetric cipher initializations (CVE-2023-5363)
Buffer overflow vulnerability due to improper boundary checking by the IGB driver in drivers/net/ethernet/intel/igb/igb_main.c in the Linux kernel (CVE-2023-45871)

 

Vulnerability Patch

 

vulnerability patches were made available in the February 5-11, 2024 update. please follow the instructions on the reference site to update to the latest vulnerability patch version.

CVE-2023-20883, CVE-2016-1000027

  • 6.version 3.0.0 iFix04

 

CVE-2022-46337

  • IBM Cloud Pak System v2.3.3.6 Interim Fix 2 version
  • Cloud Pak System v2.3.3.7 and V2.3.3.7 Interim Fix 01 versions
  • Cloud Pak System V2.3.3.7 Interim Fix 01 version

 

CVE-2023-36478, CVE-2023-44487, CVE-2023-41900, CVE-2023-40167, CVE-2023-36479, CVE-2023-34462, CVE-2023-4807, CVE-2023-46849, CVE-2023-46850, CVE-2023-5363

  • IBM MaaS360 Cloud Extender 3.000.300.025 and later versions
  • IBM MaaS360 Mobile Enterprise Gateway and VPN modules in version 3.000.400 or later

 

CVE-2023-45871

  • IBM Cloud Object System version 3.18.0.40 or later
  • IBM Cloud Object System version 3.18.1.45 or later

 

Reference Sites

[1] IBM security advisory (AV24-079)
https://www.cyber.gc.ca/en/alerts-advisories/ibm-security-advisory-av24-079
[2] Security Bulletin: IBM Sterling Control Center vulnerable to denial of service due to Spring Boot and remote code execution due to Spring Framework
https://www.ibm.com/support/pages/node/7116050
[3] Security Bulletin: Vulnerability in Apache Derby affects IBM Cloud Pak System [CVE-2022-46337]
https://www.ibm.com/support/pages/node/7115283\
[4] Security Bulletin: IBM MaaS360 Cloud Extender Agent, Mobile Enterprise Gateway and VPN Module affected by multiple vulnerabilities
https://www.ibm.com/support/pages/node/7115287
[5] Security Bulletin: Vulnerability with Kernel affect IBM Cloud Object Storage Systems (Jan 2024v1)
https://www.ibm.com/support/pages/node/7114810

Tags:

Previous Post

Next Post