Lucene search

IBM5E68458740A4C19EA85C3961168C22ED57C3BB50F93B8C60092295A48FB80A53

HistoryFeb 07, 2024 - 8:56 a.m.

Security Bulletin: IBM Engineering Lifecycle Optimization - Publishing Does not support Container authentication from 7.0.3

2024-02-0708:56:12

www.ibm.com

ibm engineering lifecycle optimization

publishing

vulnerability

session handling

http header injection

account lockout setting

authentication

container

jts

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

Low

EPSS

0.001

Percentile

31.8%

JSON

Summary

IBM Engineering Lifecycle Optimization - Publishing Does not support Container authentication from 7.0.3

Vulnerability Details

CVEID:CVE-2023-45187
**DESCRIPTION:**IBM Engineering Lifecycle Optimization - Publishing does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268749 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2023-45190
**DESCRIPTION:**IBM Engineering Lifecycle Optimization is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268754 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2023-45191
**DESCRIPTION:**IBM Engineering Lifecycle Optimization uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268755 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
PUB	7.0.3
PUB	7.0.2

Remediation/Fixes

IBM Engineering Lifecycle Optimization - Publishing Does not support Container authentication from 7.0.3

Below CVE are due to server container authentication and from PUB 7.0.3 Container authentication is not supported, Please read the document here : <https://www.ibm.com/docs/en/engineering-lifecycle-management-suite/lifecycle-optimization-publishing/7.0.3?topic=authentication-container>

CVEID:CVE-2023-45187, CVE-2023-45190, CVE-2023-45191

Workarounds and Mitigations

Do not use Container authentication insteed of use JTS authentication

Affected configurations

Vulners

Node

ibmengineering_lifecycle_optimization_-_publishingMatch7.0.2

ibmengineering_lifecycle_optimization_-_publishingMatch7.0.3

VendorProductVersionCPE
ibmengineering_lifecycle_optimization_-_publishing7.0.2cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:7.0.2:*:*:*:*:*:*:*
ibmengineering_lifecycle_optimization_-_publishing7.0.3cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:7.0.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	engineering_lifecycle_optimization_-_publishing	7.0.2	cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:7.0.2:::::::*
ibm	engineering_lifecycle_optimization_-_publishing	7.0.3	cpe:2.3:a:ibm:engineering_lifecycle_optimization_-_publishing:7.0.3:::::::*

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

Low

EPSS

0.001

Percentile

31.8%

JSON

Related for 5E68458740A4C19EA85C3961168C22ED57C3BB50F93B8C60092295A48FB80A53