Lucene search

IBM92729CF2E5132D3C35415FE8AF095EC0B4FBA33A933E9D00F1AF6F3A3E89B975

HistoryOct 30, 2023 - 5:11 p.m.

Security Bulletin: Due to the use of OpenSSL IBM Tivoli Netcool System Service Monitors/Application Service Monitors is vulnerable to a denial of service and security bypass restrictions.

2023-10-3017:11:24

www.ibm.com

ibm

tivoli

netcool

openssl

cve-2023-2650

cve-2023-0466

cve-2023-0465

denial of service

security bypass

vulnerability

fix

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

50.9%

JSON

Summary

OpenSSL is used by IBM Tivoli Netcool System Service Monitors/Application Service Monitors. CVE-2023-2650, CVE-2023-0466 and CVE-2023-0465

Vulnerability Details

CVEID:CVE-2023-2650
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a flaw when using OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256611 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-0466
**DESCRIPTION:**OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw in the X509_VERIFY_PARAM_add0_policy function. By using invalid certificate policies, an attacker could exploit this vulnerability to bypass certificate verification.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251307 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-0465
**DESCRIPTION:**OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw when using a non-default option to verify certificates. By using invalid certificate policies in leaf certificates, an attacker could exploit this vulnerability to bypass policy checking.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251293 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Tivoli Netcool System Service Monitors/Application Service Monitors	4.0.1

Remediation/Fixes

Product	VMRF	APAR	Remediation/First Fix
IBM Tivoli Netcool System Service Monitors/Application Service Monitors	4.0.1 SP11	PSIRTs Only	https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Netcool+System+Service+Monitor&release=4.0.1.3&platform=All&function=fixId&fixids=4.0.1.3-TIV-SSM-IF0011&includeSupersedes=0&source=fc

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmnetcool\/system_service_monitorMatch4.0.1

CPENameOperatorVersion
netcool/system service monitoreq4.0.1

CPE	Name	Operator	Version
	netcool/system service monitor	eq	4.0.1

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

50.9%

JSON

Related for 92729CF2E5132D3C35415FE8AF095EC0B4FBA33A933E9D00F1AF6F3A3E89B975