Lucene search

IBM513F011CECD696E8183A7770E579DB6B83CFFF2760FDFA31493E4B57AC1CEBFC

HistoryJul 02, 2024 - 11:31 a.m.

Security Bulletin: IBM PowerVM Novalink is vulnerable because jose4j is vulnerable to a denial of service, caused by improper input validation.

2024-07-0211:31:02

www.ibm.com

ibm powervm novalink

denial of service

jose4j

improper input validation

vulnerability

remote attacker

cve-2023-51775

cvss base score

affected products

powervm novalink 2.0.0.0

powervm novalink 2.0.1

powervm novalink 2.0.2

powervm novalink 2.0.2.1

powervm novalink 2.0.3

powervm novalink 2.0.3.1

powervm novalink 2.1.0

powervm novalink 2.1.1

powervm novalink 2.2.0

powervm novalink 2.2.1

update

remediation

pvm-novalink-2.0.3.1-240625

pvm-novalink-2.1.1-240625

pvm-novalink-2.2.1-240626

system vulnerability

security bulletin

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

JSON

Summary

IBM PowerVM Novalink is vulnerable because jose4j is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted p2c value, a remote attacker could exploit this vulnerability to cause a denial of service condition.

Vulnerability Details

CVEID:CVE-2023-51775
**DESCRIPTION:**jose4j is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted p2c value, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275907 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Products and Versions:

Affected Product(s)	Version(s)
PowerVM Novalink	2.0.0.0
PowerVM Novalink	2.0.1
PowerVM Novalink	2.0.2
PowerVM Novalink	2.0.2.1
PowerVM Novalink	2.0.3
PowerVM Novalink	2.0.3.1
PowerVM Novalink	2.1.0
PowerVM Novalink	2.1.1
PowerVM Novalink	2.2.0
PowerVM Novalink	2.2.1

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading based on the table below.

Product	Version	Remediation
PowerVM Novalink	2.0.0.0

Update to pvm-novalink-2.0.3.1-240625

Update to pvm-novalink-2.1.1-240625

Update to pvm-novalink-2.2.1-240626

PowerVM Novalink| 2.0.1|

Update to pvm-novalink-2.0.3.1-240625

Update to pvm-novalink-2.1.1-240625

Update to pvm-novalink-2.2.1-240626

PowerVM Novalink| 2.0.2|

Update to pvm-novalink-2.0.3.1-240625

Update to pvm-novalink-2.1.1-240625

Update to pvm-novalink-2.2.1-240626

PowerVM Novalink| 2.0.2.1|

Update to pvm-novalink-2.0.3.1-240625

Update to pvm-novalink-2.1.1-240625

Update to pvm-novalink-2.2.1-240626

PowerVM Novalink| 2.0.3|

Update to pvm-novalink-2.0.3.1-240625

Update to pvm-novalink-2.1.1-240625

Update to pvm-novalink-2.2.1-240626

PowerVM Novalink| 2.0.3.1|

Update to pvm-novalink-2.0.3.1-240625

Update to pvm-novalink-2.1.1-240625

Update to pvm-novalink-2.2.1-240626

PowerVM Novalink| 2.1.0|

Update to pvm-novalink-2.1.1-240625

Update to pvm-novalink-2.2.1-240626

PowerVM Novalink| 2.1.1|

Update to pvm-novalink-2.1.1-240625

Update to pvm-novalink-2.2.1-240626

PowerVM Novalink| 2.2.0|

Update to pvm-novalink-2.2.1-240626

PowerVM Novalink| 2.2.1|

Update to pvm-novalink-2.2.1-240626

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmpowervmMatch2.2.1

ibmpowervmMatch2.1.1

ibmpowervmMatch2.0.3.1

VendorProductVersionCPE
ibmpowervm2.2.1cpe:2.3:o:ibm:powervm:2.2.1:*:*:*:*:*:*:*
ibmpowervm2.1.1cpe:2.3:o:ibm:powervm:2.1.1:*:*:*:*:*:*:*
ibmpowervm2.0.3.1cpe:2.3:o:ibm:powervm:2.0.3.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	powervm	2.2.1	cpe:2.3:o:ibm:powervm:2.2.1:::::::*
ibm	powervm	2.1.1	cpe:2.3:o:ibm:powervm:2.1.1:::::::*
ibm	powervm	2.0.3.1	cpe:2.3:o:ibm:powervm:2.0.3.1:::::::*