IBM product line (IBM Security Guardium, OpenBMC, etc.) security update advisories

Overview
 

An update has been released to address vulnerabilities in IBM products. Users of affected versions are advised to update to the latest version.

 

Affected Products
 

CVE-2022-43904

• IBM Security Guardium versions: 11.3, 11.4

CVE-2024-31916

• IBM OpenBMC versions: FW1050.00 (inclusive) ~ FW1050.10 (inclusive)

Cve-2023-30997, cve-2023-30998, cve-2023-38370

• IBM Security Verify Access Docker versions: 10.0.0.0 (inclusive) ~ 10.0.7.1 (inclusive)

 

Resolved Vulnerabilities

Vulnerability in IBM Security Guardium due to improper limits on excessive authentication attempts, which could disclose sensitive information to an attacker (CVE-2022-43904)

Vulnerability in IBM OpenBMC HTTPS server that could allow components to disclose sensitive URI content to unauthorized actors bypassing the authentication channel (CVE-2024-31916)

Vulnerabilities in the IBM Security Access manager container that could allow local users to gain root access due to improper access controls (CVE-2023-30997, CVE-2023-30998)

Vulnerability in the IBM Security Access manager container that could allow users in certain configurations to install malicious packages on the network (CVE-2023-38370)

 

Vulnerability Patches
 

Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2022-43904

• Updated based on “Remediation/Fixes” from Referenced Sites[2]

 

CVE-2024-31916

• IBM OpenBMC versions: FW1050.11 and later

 

Cve-2023-30997, cve-2023-30998, cve-2023-38370

• IBM recommends that customers update their systems immediately.

 

Access IBM Security validation (Docker containers)

Run the command ” docker pull icr.io/isva/verify-access:[tag] ” to get the latest version of the container.
the [tag] is the latest published version and can be found in Referenced Sites[8].

• Update based on “Remediation/Fixes” from Referenced Sites [8]

Referenced Sites
 

[1] CVE-2022-43904 Detail

https://nvd.nist.gov/vuln/detail/CVE-2022-43904

[2] Security Bulletin: IBM Security Guardium is affected by an Improper Restriction of Excessive Authentication Attempts vulnerability (CVE-2022-43904)

https://www.ibm.com/support/pages/node/7028509

[3] CVE-2024-31916 Detail

https://nvd.nist.gov/vuln/detail/cve-2024-31916

[4] Security Bulletin: This Power System update is being released to address CVE-2024-31916

https://www.ibm.com/support/pages/node/7158679

[5] CVE-2023-30997 Detail

https://nvd.nist.gov/vuln/detail/cve-2023-30997

[6] CVE-2023-30998 Detail

https://nvd.nist.gov/vuln/detail/CVE-2023-30998

[7] CVE-2023-38370 Detail

https://nvd.nist.gov/vuln/detail/CVE-2023-38370

[8] Security Bulletin: IBM Security Verify Access is vulnerable to multiple Security Vulnerabilities

https://www.ibm.com/support/pages/node/7158790