CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
31.4%
IBM Tivoli Application Dependency Discovery Manager is vulnerable to denial of service due to use of IBM Java and runtimes (CVE-2023-22045, CVE-2023-22049, CVE-2023-22081, CVE-2023-22067, CVE-2023-5676)
CVEID:CVE-2023-22045
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low confidentiality impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261047 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2023-22049
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow a remote attacker to cause low integrity impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2023-22081
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow a remote attacker to cause no confidentiality impact, no integrity impact, and low availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268929 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2023-22067
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the CORBA component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268928 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2023-5676
**DESCRIPTION:**Eclipse OpenJ9 is vulnerable to a denial of service, caused by a flaw when a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause an infinite busy hang on a spinlock or a segmentation fault.
CVSS Base score: 4.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271615 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Tivoli Application Dependency Discovery Manager | 7.3.0.0 -7.3.0.10 |
In order to fix this vulnerability, Java needs to be upgraded to 8.0.8.15 for TADDM versions 7.3.0.7 - 7.3.0.10.
Check java version installed on TADDM servers using the below command:
$COLLATION_HOME/external/<jdk- folder according to OS>/bin/java -version
For TADDM 7.3.0.0 - 7.3.0.4 (JAVA 7), Please upgrade to IBM Tivoli Application Dependency Discovery Manager Version 7.3.0.7 or later (IBM Recommends the latest release 7.3.0.11).
For TADDM 7.3.0.5 - 7.3.0.6 (Java 8) Please upgrade to IBM Tivoli Application Dependency Discovery Manager Version 7.3.0.7 or later (IBM Recommends the latest release 7.3.0.11).
For TADDM 7.3.0.7 - 7.3.0.10 (JAVA 8), if the above command output contains**“SR6 FP10”**or “8.0.6.10” or higher as build in Java™ SE Runtime Environment information, apply e-fix for the new IBM SDK only,**efix_jdk8.0.7.20_FP10221123.zip **given in Table-1 below.
For all other cases: Please contact IBM Support and open a case with TADDM version and a link to this bulletin.
Table-1:
Please review the eFix readme in etc/efix_readme.txt. The fixes for the respective FixPack(s) can be downloaded and applied directly.
Fix|
VRMF
| APAR|How to acquire fix
—|—|—|—
efix_jdk_8.0.8.15_FP10221123.zip|
7.3.0.7 - 7.3.0.10
| None| Download eFix
Table-2:
Below are the JRE:
Fix|
VRMF
| APAR|How to acquire fix
—|—|—|—
ibm-java-jre-80-win-i386|
7.3.0.7 - 7.3.0.10
| None| Download eFix
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | tivoli_application_dependency_discovery_manager | 7.3.0.0 | cpe:2.3:a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.0:*:*:*:*:*:*:* |
ibm | tivoli_application_dependency_discovery_manager | 7.3.0.9 | cpe:2.3:a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.9:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
31.4%