Security update advisories for IBM products (IBM Cloud Pak for Data, IBM Cloud Transformation Advisor, etc.)
Overview
An update has been made available to fix vulnerabilities in the IBM family of products. Users of affected versions are advised to update to the latest version.
Affected Products
CVE-2024-20918, CVE-2024-20952, CVE-2024-20921, CVE-2024-20945, CVE-2023-33850
- IBM WebSphere Application Server version 8.5
- IBM WebSphere Application Server version 9.0
- IBM WebSphere Application Server Liberty Continuous delivery
CVE-2023-33850
- IBM Tivoli Business Service Manager 6.2.0 version
CVE-2023-51074, CVE-2024-20952, CVE-2024-20918, CVE-2024-20921, CVE-2024-20919, CVE-2024-20926, CVE-2024-20945, CVE-2023-33850, CVE-2023-4586, CVE-2023-5535, CVE-2022-41723, CVE-2022-41721, CVE-2022-32149, CVE-2023-39533, CVE-2023-36478
- IBM Cloud Transformation Advisor versions 2.0.1 through 3.8.1
CVE-2022-23471, CVE-2022-31030, CVE-2022-32149, CVE-2022-41721, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532, CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-28840, CVE-2023-28841, CVE-2023-28842, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400
- IBM Cloud Pak for Data Scheduling versions 4.6.4 through 4.7.4
Resolved Vulnerabilities
Unspecified vulnerabilities in Java SE related to the VM component of the IBM® Java SDK (CVE-2024-20918, CVE-2024-20952, CVE-2024-20921, CVE-2024-20945, CVE-2024-20919)
Vulnerability in IBM GSKit-Crypto allows remote attackers to access sensitive information due to a timing-based side channel in the RSA decryption implementation (CVE-2023-33850)
Denial of Service Vulnerability due to a stack-based buffer overflow in the json-path Criteria.parse method (CVE-2023-51074)
Unspecified Vulnerability in Java SE related to a scripting component (CVE-2024-20926)
Man-in-the-Middle Attack Vulnerability due to failure to enable host name resolution when using TLS in Hot Rod clients (CVE-2023-4586)
Vim may allow remote authentication attackers to execute arbitrary code on the system, resulting in a heap-based use-after-free vulnerability in the function editing_arg_idx (CVE-2023-5535)
Denial of Service Vulnerability due to a flaw in the HPACK decoder in Golang Go (CVE-2022-41723)
HTTP Request Smuggling Vulnerability due to a flaw when using MaxBytesHandler in Golang Go (CVE-2022-41721)
Denial of Service Vulnerability due to improper input validation in the golang.org/x/text/language package in Golang Go (CVE-2022-32149)
Denial of Service Vulnerability due to a flaw in signature verification in libp2p go-libp2p (CVE-2023-39533)
Denial of Service Vulnerability due to an integer overflow and buffer allocation in Eclipse Jetty MetaDataBuilder.checkSize (CVE-2023-36478)
Denial of Service Vulnerabilities due to flaws in the CRI implementation in containerd (CVE-2022-23471, CVE-2022-31030)
Denial of Service Vulnerability due to a flaw in Golang Go’s handling of large TLS handshake records (CVE-2022-41724)
Denial of Service Vulnerability due to a flaw when parsing multi-part forms using mime/multipart in Golang Go (CVE-2022-41725)
Unknown impact and attack vector vulnerability due to unspecified error returning invalid results in the ScalarMult and ScalarBaseMult methods of the P256 curve in Golang Go (CVE-2023-24532)
Denial of Service Vulnerability due to memory exhaustion in a common function in HTTP and MIME header parsing in Golang Go (CVE-2023-24534)
Denial of Service Vulnerability due to a flaw in parsing multipart forms in Golang Go (CVE-2023-24536)
Denial of Service Vulnerability due to an infinite loop caused by an integer overflow when calling the Parse function in Golang Go (CVE-2023-24537)
Golang Go fails to properly consider backticks (`) as Javascript string delimiters, resulting in arbitrary code execution vulnerability (CVE-2023-24538)
Denial of Service Vulnerability due to an unprotected alternate channel within Moby’s encrypted overlay network (CVE-2023-28840)
Sensitive information access vulnerability due to missing encrypted sensitive data within Moby’s overlay network driver (CVE-2023-28841)
Security Restriction Bypass Vulnerability due to an unprotected alternate channel within Moby’s encrypted overlay network (CVE-2023-28842)
HTML Injection Vulnerabilities in Go (CVE-2023-24539, CVE-2023-24540, CVE-2023-29400)
Vulnerability Patches
Vulnerability patches were made available in the February 2024 update. Please follow the instructions on the reference site to update to the latest vulnerability patch version.
CVE-2024-20918, CVE-2024-20952, CVE-2024-20921, CVE-2024-20945, CVE-2023-33850
- see the “Remediation/Fixes” section of the reference site [1]
CVE-2023-33850
- see the “Remediation/Fixes” section of the reference site [2]
CVE-2023-51074, CVE-2024-20952, CVE-2024-20918, CVE-2024-20921, CVE-2024-20919, CVE-2024-20926, CVE-2024-20945, CVE-2023-33850, CVE-2023-4586, CVE-2023-5535, CVE-2022-41723, CVE-2022-41721, CVE-2022-32149, CVE-2023-39533, CVE-2023-36478
- IBM Cloud Transformation Advisor version 3.8.2
CVE-2022-23471, CVE-2022-31030, CVE-2022-32149, CVE-2022-41721, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532, CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-28840, CVE-2023-28841, CVE-2023-28842, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400
- IBM Cloud Pak for Data Scheduling version 4.8
Referenced Sites
[1] Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to January 2024 CPU
https://www.ibm.com/support/pages/node/7117872
[2] Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2024 – Includes Oracle January 2024 CPU plus CVE-2023-33850
https://www.ibm.com/support/pages/node/7121419
[3] Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities
https://www.ibm.com/support/pages/node/7121102
[4] Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to multiple ansible-operator and opm vulnerabilities
https://www.ibm.com/support/pages/node/7121255
[5] Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to multiple ansible-operator vulnerabilities
https://www.ibm.com/support/pages/node/7121279