IBMAA26E75EA0A2B2DED2205F95649F1D4CBFC90AFDD5B1B67F81E4F76A3625E073Security Bulletin: IBM Navigator for i and IBM Digital Certificate Manager for i are vulnerable to attacker obtaining sensitive information due to Java string processing in IBM Toolbox for Java (CVE-2022-43928).
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
27.0%
Summary
IBM Navigator for i and IBM Digital Certificate Manager for i use the IBM Toolbox for Java to access IBM i interfaces. IBM Toolbox for Java could allow sensitive information stored as Java strings to be obtained by an attacker as described in the vulnerability details section. IBM Navigator for i and IBM Digital Certificate Manager for i have addressed the vulnerability with a fix as described in the remediation/fixes section.
Vulnerability Details
CVEID:CVE-2022-43928
**DESCRIPTION:**The IBM Toolbox for Java could allow a user to obtain sensitive information, caused by utilizing a Java string for processing. Since Java strings are immutable, their contents exist in memory until garbage collected. This means sensitive data could be visible in memory over an indefinite amount of time. IBM has addressed this issue by reducing the amount of time the sensitive data is visible in memory.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241675 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM i | 7.5 |
| IBM i | 7.4 |
| IBM i | 7.3 |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now.
The issue can be fixed by applying a PTF to IBM i. IBM i releases 7.5, 7.4, and 7.3 will be fixed.
The IBM i PTFs containing the fixes for IBM Navigator for i and IBM Digital Certificate Manager for i are included in the IBM HTTP Server for i Group PTF. Future Group PTFs for IBM HTTP Server for i will also contain the fixes for the vulnerability.
IBM i Release| 5770-DG1
IBM HTTP Server for i Group PTF - Level| PTF Download Link
—|—|—
7.5| SF99952 - 06| SF99952 750 IBM HTTP Server for i
7.4| SF99662 - 27| SF99662 740 IBM HTTP Server for i
7.3| SF99722 - 44| SF99722 730 IBM HTTP Server for i
<https://www.ibm.com/support/fixcentral>
Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | i | 7.3.0 | cpe:2.3:o:ibm:i:7.3.0:*:*:*:*:*:*:* |
| ibm | i | 7.4.0 | cpe:2.3:o:ibm:i:7.4.0:*:*:*:*:*:*:* |
| ibm | i | 7.5.0 | cpe:2.3:o:ibm:i:7.5.0:*:*:*:*:*:*:* |
| ibm | planning_analytics | 7.3.0 | cpe:2.3:a:ibm:planning_analytics:7.3.0:*:*:*:*:*:*:* |
| ibm | ibm_i_7.5_preventative_service_planning | 7.5.0 | cpe:2.3:a:ibm:ibm_i_7.5_preventative_service_planning:7.5.0:*:*:*:*:*:*:* |
| ibm | planning_analytics | 7.4.0 | cpe:2.3:a:ibm:planning_analytics:7.4.0:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
27.0%