Lucene search

IBM7A9BF1BA1BAB98C8530A426980A91F0405C9ABE34D08AEE443EBA5110A7FFB80

HistoryDec 20, 2023 - 2:45 p.m.

Security Bulletin: IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-39975, CVE-2023-34042)

2023-12-2014:45:05

www.ibm.com

ibm security guardium

multiple vulnerabilities

fixed

update

version 12.0

mit kerberos 5

vmware tanzu spring security

denial of service

authorization data handling

bypass security restrictions

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.3 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

41.3%

JSON

Summary

IBM Security Guardium has fixed these vulnerabilities

Vulnerability Details

CVEID:CVE-2023-39975
**DESCRIPTION:**MIT Kerberos 5 (aka krb5) is vulnerable to a denial of service, caused by a double free in KDC TGS processing. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to cause a failure in authorization data handling, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/263899 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-34042
**DESCRIPTION:**VMware Tanzu Spring Security could allow a local authenticated attacker to bypass security restrictions, caused by an incorrect permission assignment for spring-security.xsd file inside the spring-security-config jar. By sending a specially crafted request, an attacker could exploit this vulnerability to write the spring-security.xsd file.
CVSS Base score: 4.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/267747 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Security Guardium	12.0

Remediation/Fixes

IBM encourages customers to update their systems promptly.

Product	Versions	Fix
IBM Security Guardium	12.0	https://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=12.0&platform=Linux&function=fixId&fixids=SqlGuard_12.0p6002_November-Security-Patch_V12.0&includeSupersedes=0&source=fc

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmsecurity_guardiumMatch12.0

CPENameOperatorVersion
ibm security guardiumeq12.0

CPE	Name	Operator	Version
	ibm security guardium	eq	12.0

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.3 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

41.3%

JSON

Related for 7A9BF1BA1BAB98C8530A426980A91F0405C9ABE34D08AEE443EBA5110A7FFB80