CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
55.2%
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition used by IBM Tivoli Application Dependency Discovery Manager (TADDM). These issues were disclosed as part of the IBM Java SDK updates in January 2024.
CVEID:CVE-2024-20952
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279685 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID:CVE-2024-20918
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279718 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID:CVE-2024-20921
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279734 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2024-20919
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high integrity impact.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279785 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)
CVEID:CVE-2024-20926
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Scripting component could allow a remote attacker to cause high confidentiality impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279716 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2024-20945
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a local authenticated attacker to cause high confidentiality impact.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279775 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2023-33850
**DESCRIPTION:**IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 257132.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257132 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Tivoli Application Dependency Discovery Manager | 7.3.0.0 - 7.3.0.11 |
In order to fix this vulnerability, Java needs to be upgraded to 8.0.8.15 for TADDM versions 7.3.0.7 - 7.3.0.10.
Check java version installed on TADDM servers using the below command:
$COLLATION_HOME/external/<jdk- folder according to OS>/bin/java -version
For TADDM 7.3.0.0 - 7.3.0.4 (JAVA 7), Please upgrade to IBM Tivoli Application Dependency Discovery Manager Version 7.3.0.7 or later (IBM Recommends the latest release 7.3.0.11).
For TADDM 7.3.0.5 - 7.3.0.6 (Java 8) Please upgrade to IBM Tivoli Application Dependency Discovery Manager Version 7.3.0.7 or later (IBM Recommends the latest release 7.3.0.11).
For TADDM 7.3.0.7 - 7.3.0.11 (JAVA 8), if the above command output contains**“SR6 FP10”**or “8.0.6.10” or higher as build in Java™ SE Runtime Environment information, apply e-fix for the new IBM SDK only,**efix_jdk8.0.8.20_FP11230825.zip **given in Table-1 below.
For all other cases: Please contact IBM Support and open a case with TADDM version and a link to this bulletin.
Table-1:
Please review the eFix readme in etc/efix_readme.txt. The fixes for the respective FixPack(s) can be downloaded and applied directly.
Fix
|
VRMF
|
APAR
|
How to acquire fix
—|—|—|—
efix_jdk_8.0.8.20_FP11230825.zip
|
7.3.0.7 - 7.3.0.11
|
None
|
Please review the eFix readme in etc/efix_readme.txt
Below are the JRE for Windows:
Fix
|
VRMF
|
APAR
|
** How to acquire fix**
—|—|—|—
ibm-java-jre-80-win-i386
|
7.3.0.7 - 7.3.0.11
|
None
|
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | tivoli_application_dependency_discovery_manager | 7.3.0 | cpe:2.3:a:ibm:tivoli_application_dependency_discovery_manager:7.3.0:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
55.2%