Security Advisory

IBM family of products (such as IBM Engineering Requirements Management DOORS Next) security update advisories

  • Feb 22 2024

Overview

 

An update has been made available to fix vulnerabilities in the IBM family of products. Users of affected versions are advised to update to the latest version.

 

Affected Products

 

CVE-2021-35573, CVE-2021-35660, CVE-2021-35662, CVE-2021-35572, CVE-2021-35657, CVE-2021-35574, CVE-2021-35656, CVE-2021-35661, CVE-2021-35659, CVE-2021-35658

  • IBM Engineering Requirements Management DOORS Next 7.0.2 version

 

CVE-2023-36478, CVE-2023-44487

  • Eclipse Jetty, Rational Service Tester (RST) 10.0, 10.1, 10.2 versions

 

CVE-2024-25021, CVE-2023-47038, CVE-2023-47100

  • AIX 7.3 versions of perl.rte from version 5.23.0.0 through version 5.34.1.5
  • VIOS 4.1 versions of perl.rte from version 5.23.0.0 through version 5.34.1.5

 

Resolved Vulnerabilities

 

Denial of service attack due to unspecified vulnerability in Oracle Outside In Technology related to the Outside In Filters component (CVE-2021-35573, CVE-2021-35660, CVE-2021-35662, CVE-2021-35572, CVE-2021-35657, CVE-2021-35656, CVE-2021-35661, CVE-2021-35659, CVE-2021-35658)
A system control vulnerability due to unspecified vulnerability in an Oracle product (CVE-2021-35574)
Denial of service vulnerability due to an integer overflow and buffer allocation in Eclipse Jetty MetaDataBuilder.checkSize (CVE-2023-36478)
Denial of service vulnerability due to a flaw in the handling of multiplexed streams in the HTTP/2 protocol (CVE-2023-44487)
Arbitrary code execution vulnerability due to Perl on IBM AIX (CVE-2024-25021)
buffer overflow and arbitrary code execution vulnerability due to a specially crafted regular expression that could lead to compilation (CVE-2023-47038)
Security restriction bypass vulnerability due to improper handling of property names in the S_parse_uniprop_string function in Perl regcomp.c (CVE-2023-47100)

 

Vulnerability Patches

 

Vulnerability patches were made available in the February 2024 Update. Please update to the latest vulnerability patch version as per the reference site.

CVE-2021-35573, CVE-2021-35660, CVE-2021-35662, CVE-2021-35572, CVE-2021-35657, CVE-2021-35574, CVE-2021-35656, CVE-2021-35661, CVE-2021-35669, CVE-2021-35658

  • IBM Engineering Requirements Management DOORS Next 7.0.2 iFix026a and later

 

CVE-2023-36478, CVE-2023-44487

  • Eclipse Jetty, Rational Service Tester (RST) 11.0.0 version

 

CVE-2024-25021, CVE-2023-47038, CVE-2023-47100

  • See the reference site[4] for details

 

Referenced Sites

 

[1] IBM Product Security Central
https://www.ibm.com/support/pages/bulletin/
[2] Security Bulletin: Multiple Oracle Outside In Technology vulnerabilities in IBM Engineering Requirements Management DOORS Next
https://www.ibm.com/support/pages/node/7122411
[3] Security Bulletin: Rational Service Tester contains vulnerabilities which could affect Eclipse Jetty.
https://www.ibm.com/support/pages/node/7122415
[4] Security Bulletin: AIX is vulnerable to arbitrary command execution due to Perl (CVE-2024-25021, CVE-2023-47038, CVE-2023-47100)
https://www.ibm.com/support/pages/node/7122628

Tags:

Previous Post

Next Post