Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM103EA163CE6BA94C3571086A36BDAD92915A4BF88B6551DD1CF420092CAEB0CD
HistoryJan 31, 2023 - 2:18 p.m.

Security Bulletin: IBM Sterling Secure Proxy vulnerable to multiple issues

2023-01-3114:18:52
www.ibm.com
77
ibm sterling secure proxy
6.0.3
ifix 06
cve-2022-23437
cve-2022-31772
cve-2022-34362
cve-2022-35720
apache xerces2 java xml parser
ibm mq 8.0
9.0 lts
mqtt channels
http header injection
ibm sterling external authentication server
cryptographic algorithms.

CVSS2

7.1

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.005

Percentile

76.1%

JSON

Summary

Multiple vulnerabilities affect IBM Sterling Secure Proxy 6.0.3.0 and are addressed in the latest iFix.

Vulnerability Details

CVEID:CVE-2022-23437
**DESCRIPTION:**Apache Xerces2 Java XML Parser is vulnerable to a denial of service, caused by an infinite loop in the XML parser. By persuading a victim to open a specially-crafted XML document payloads, a remote attacker could exploit this vulnerability to consume system resources for prolonged duration.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217982 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-31772
**DESCRIPTION:**IBM MQ 8.0, 9.0 LTS, 9.1 CD, 9.1 LTS, 9.2 CD, and 9.2 LTS could allow an authenticated and authorized user to cause a denial of service to the MQTT channels. IBM X-Force ID: 228335.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228335 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-34362
**DESCRIPTION:**IBM Sterling Secure Proxy is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base score: 4.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230523 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

CVEID:CVE-2022-35720
**DESCRIPTION:**IBM Sterling External Authentication Server uses weaker than expected cryptographic algorithms during installation that could allow a local attacker to decrypt sensitive information.
CVSS Base score: 2.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231373 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Sterling Secure Proxy 6.0.3

Remediation/Fixes

Product Version Remediation
IBM Sterling Secure Proxy 6.0.3 6.0.3 iFix 06 on FixCentral

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsterling_secure_proxyMatch6.0.3
VendorProductVersionCPE
ibmsterling_secure_proxy6.0.3cpe:2.3:a:ibm:sterling_secure_proxy:6.0.3:*:*:*:*:*:*:*

Related

cvelist 4
cnvd 3
cve 4
prion 4
ibm 39
nessus 25
nvd 4
osv 4
suse 2
openvas 9
rubygems 1
ubuntucve 1
redhatcve 1
github 2
veracode 1
debiancve 1
redhat 4
oracle 6
cvelist
cvelist
CVE-2022-31772 IBM MQ denial of service
2022-11-11 18:56:12
CVE-2022-35720 IBM Sterling External Authentication Server information disclosure
2023-02-08 18:24:03
CVE-2022-34362 IBM Sterling Secure Proxy HOST header injection
2023-02-08 18:30:03
cnvd
cnvd
IBM MQ Input Validation Error Vulnerability (CNVD-2023-08771)
2022-11-06 00:00:00
IBM Sterling External Authentication Server Encryption Issue Vulnerability
2023-02-09 00:00:00
Apache Xerces Denial of Service Vulnerability
2022-01-26 00:00:00
cve
cve
CVE-2022-31772
2022-11-11 19:15:10
CVE-2022-35720
2023-02-08 19:15:11
CVE-2022-34362
2023-02-08 19:15:11
prion
prion
Code injection
2022-11-11 19:15:00
Authentication flaw
2023-02-08 19:15:00
Cross site scripting
2023-02-08 19:15:00
ibm
ibm
Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer operands may be vulnerable to denial of service due to CVE-2022-31772
2022-11-08 11:12:19
Security Bulletin: IBM MQ could allow an authenticated and authorized user to cause a denial of service to the MQTT channels. (CVE-2022-31772)
2023-01-25 15:18:56
Security Bulletin: IBM Sterling Control Center is vulnerable to a denial of service vulnerability due to Apache Xerces2 Java XML Parser (CVE-2022-23437)
2022-06-13 17:15:01
nessus
nessus
IBM MQ Authenticated DoS (6833806)
2022-11-10 00:00:00
RHEL 9 : xerces-j2 (Unpatched Vulnerability)
2024-06-03 00:00:00
SUSE SLES12 Security Update : xerces-j2 (SUSE-SU-2022:0542-1)
2022-02-22 00:00:00
nvd
nvd
CVE-2022-31772
2022-11-11 19:15:10
CVE-2022-35720
2023-02-08 19:15:11
CVE-2022-34362
2023-02-08 19:15:11
osv
osv
XML Injection in Xerces Java affects Nokogiri
2022-04-11 21:30:00
xerces-j2-2.12.2-1.1 on GA media
2024-06-15 00:00:00
Infinite Loop in Apache Xerces Java
2022-01-27 16:13:07
suse
suse
Security update for xerces-j2 (important)
2022-02-18 00:00:00
Security update for xerces-j2 (important)
2022-02-18 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2022:0503-1)
2022-02-19 00:00:00
openSUSE: Security Advisory for xerces-j2 (openSUSE-SU-2022:0500-1)
2022-02-22 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:0542-1)
2022-02-22 00:00:00
rubygems
rubygems
XML Injection in Xerces Java affects Nokogiri
2022-04-10 21:00:00
ubuntucve
ubuntucve
CVE-2022-23437
2022-01-24 00:00:00
redhatcve
redhatcve
CVE-2022-23437
2022-01-27 11:58:37
github
github
XML Injection in Xerces Java affects Nokogiri
2022-04-11 21:30:00
Infinite Loop in Apache Xerces Java
2022-01-27 16:13:07
veracode
veracode
Denial Of Service (DoS)
2022-01-25 04:25:23
debiancve
debiancve
CVE-2022-23437
2022-01-24 15:15:09
redhat
redhat
(RHSA-2022:4919) Moderate: Red Hat JBoss Enterprise Application Platform 7.4.5 security update on RHEL 8
2022-06-06 14:31:32
(RHSA-2022:4922) Moderate: Red Hat JBoss Enterprise Application Platform 7.4.5 security update
2022-06-06 15:07:26
(RHSA-2022:4918) Moderate: Red Hat JBoss Enterprise Application Platform 7.4.5 security update on RHEL 7
2022-06-06 14:31:15
oracle
oracle
Oracle Critical Patch Update Advisory - January 2023
2023-01-17 00:00:00
Oracle Critical Patch Update Advisory - October 2022
2022-10-18 00:00:00
Oracle Critical Patch Update Advisory - July 2022
2022-07-19 00:00:00

CVSS2

7.1

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.005

Percentile

76.1%

JSON
Related for 103EA163CE6BA94C3571086A36BDAD92915A4BF88B6551DD1CF420092CAEB0CD
cvelist4cnvd3cve4prion4ibm39nessus25nvd4osv4suse2openvas9rubygems1ubuntucve1redhatcve1github2veracode1debiancve1redhat4oracle6