Lucene search

IBM90EE0C42037D86A67EDF2BB80524685AFD7E7ECC5A971316368170ABB27CF8E4

HistoryDec 04, 2023 - 7:56 a.m.

Security Bulletin: IBM Sterling Connect:Direct for UNIX Certified Container is vulnerable to denial of service due to procps-ng (CVE-2023-4016)

2023-12-0407:56:26

www.ibm.com

ibm sterling connect:direct

unix

certified container

denial of service

procps-ng

cve-2023-4016

vulnerability

buffer overflow

heap based

ibm

fix

version 6.3.0

version 6.2.0

version 6.1.0

version 6.0.0

remediation/fix

apar

continuous delivery dev ops model

3.3 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

6.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

Summary

IBM Sterling Connect:Direct for UNIX Certified Container uses procps-ng package which is vulnerable to denial of service attack.

Vulnerability Details

CVEID:CVE-2023-4016
**DESCRIPTION:**procps-ng procps is vulnerable to a denial of service, caused by a heap based buffer overflow when running the “ps” utility. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262340 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Sterling Connect:Direct for UNIX	6.3.0
IBM Sterling Connect:Direct for UNIX	6.2.0
IBM Sterling Connect:Direct for UNIX	6.1.0
IBM Sterling Connect:Direct for UNIX	6.0.0

Remediation/Fixes

Note: Consistent with Continuous Deliver Dev Ops model, IBM Sterling Connect:Direct for UNIX Certified Container fixes are provided on the latest release only.

Product(s)	Version(s)	Apar	Remediation/Fix
IBM Sterling Connect:Direct for UNIX	6.3.0 IBM Certified Container	IT44998	Apply 6.3.0.1, see Downloading the Certified Container Software
IBM Sterling Connect:Direct for UNIX	6.2.0 IBM Certified Container	IT44998	Apply 6.3.0.1, see Downloading the Certified Container Software
IBM Sterling Connect:Direct for UNIX	6.1.0 IBM Certified Container	IT44998	Apply 6.3.0.1, see Downloading the Certified Container Software
IBM Sterling Connect:Direct for UNIX	6.0.0 IBM Certified Container	IT44998	Apply 6.3.0.1, see Downloading the Certified Container Software

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmsterling_connect\Matchdirect_for_unix6.3.0

ibmsterling_connect\Matchdirect_for_unix6.2.0

ibmsterling_connect\Matchdirect_for_unix6.1.0

ibmsterling_connect\Matchdirect_for_unix6.0.0

CPENameOperatorVersion
ibm sterling connect:direct for unixeq6.3.0
ibm sterling connect:direct for unixeq6.2.0
ibm sterling connect:direct for unixeq6.1.0
ibm sterling connect:direct for unixeq6.0.0

Name	Operator	Version
ibm sterling connect:direct for unix	eq	6.3.0
ibm sterling connect:direct for unix	eq	6.2.0
ibm sterling connect:direct for unix	eq	6.1.0
ibm sterling connect:direct for unix	eq	6.0.0