Security Bulletin: IBM Sterling Connect:Direct Web Services is affected by PostgreSQL vulnerability.

Summary

IBM Connect:Direct Web Services uses PostgreSQL Solaris 15.6 and Windows 16.2.1 and is vulnerable to CVE-2024-4317.

Vulnerability Details

CVEID:CVE-2024-4317
**DESCRIPTION:**PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs. By sending a specially crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292549 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading …

Product(s)|Version(s)|**Remediation
**
—|—|—
IBM Sterling Connect:Direct Web Services| 6.0| Upgrade to 6.1.0.25, 6.2.0.24, or 6.3.0.8
IBM Sterling Connect:Direct Web Services| 6.1| Apply 6.1.0.25, available on Fix Central
IBM Sterling Connect:Direct Web Services| 6.2| Apply 6.2.0.24, available on Fix Central
IBM Sterling Connect:Direct Web Services| 6.3| Apply 6.3.0.8, available on Fix Central

Workarounds and Mitigations

None