Lucene search

IBMB00C641639E0C7B6655AECE025DF327791466382D40DFE5A25E69D817593761C

HistorySep 07, 2023 - 5:06 p.m.

Security Bulletin: There is a vulnerability in Netty used by IBM Maximo Asset Management ( CVE-2022-24823)

2023-09-0717:06:38

www.ibm.com

ibm maximo asset management

netty vulnerability

cve-2022-24823

information disclosure

interim fix

fix central

CVSS2

1.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

10.4%

JSON

Summary

There is a vulnerability in Netty used by IBM Maximo Asset Management.

Vulnerability Details

CVEID:CVE-2022-24823
**DESCRIPTION:**Netty could allow a local authenticated attacker to obtain sensitive information, caused by a flaw when temporary storing uploads on the disk is enabled. By gaining access to the local system temporary directory, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225922 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

This vulnerability affects the following versions of the IBM Maximo Asset Management core product. The recommended action is to update to the latest version.

Product versions affected:

Affected Product(s)	Version(s)
IBM Maximo Asset Management	7.6.1.2

To determine the core product version, log in and view System Information. The core product version is the “Tivoli’s process automation engine” version. Please consult the Platform Matrix for a list of supported product combinations.

Remediation/Fixes

The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central and apply for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. Follow the installation instructions in the ‘readme’ documentation provided with each fix pack or interim fix.

For Maximo Asset Management 7.6:

VRM	Fix Pack, Feature Pack, or Interim Fix	Download
7.6.1.2	Maximo Asset Management 7.6.1.2 iFix:
7.6.1.2-TIV-MBS-IFI036 or latest Interim Fix available	FixCentral

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmmaximo_asset_managementMatch7.6.1

ibmcontrol_deskMatch7.6.1.1

ibmcontrol_deskMatch7.6.1

ibmmaximo_spatial_asset_managementMatch7.6.0.5

ibmmaximo_spatial_asset_managementMatch7.6.0.4

ibmmaximo_spatial_asset_managementMatch7.6.0.3

ibmmaximo_spatial_asset_managementMatch7.6.0.2

ibmmaximo_asset_configuration_managerMatch7.6.6

ibmmaximo_asset_configuration_managerMatch7.6.7

ibmmaximo_for_nuclear_powerMatch7.6.1

ibmmaximo_for_service_providersMatch7.6.3.3

ibmmaximo_for_service_providersMatch7.6.3.2

ibmmaximo_for_service_providersMatch7.6.3.1

ibmmaximo_for_transportationMatch7.6.2.5

ibmmaximo_for_transportationMatch7.6.2.4

ibmmaximo_for_transportationMatch7.6.2.3

ibmmaximo_for_oil_and_gasMatch7.6.1

ibmmaximo_for_utilitiesMatch7.6.0.2

ibmmaximo_for_utilitiesMatch7.6.0.1

ibmmaximo_for_aviationMatch7.6.8

ibmmaximo_for_aviationMatch7.6.7

ibmmaximo_for_aviationMatch7.6.6

ibmmaximo_for_life_sciencesMatch7.6

VendorProductVersionCPE
ibmmaximo_asset_management7.6.1cpe:2.3:a:ibm:maximo_asset_management:7.6.1:*:*:*:*:*:*:*
ibmcontrol_desk7.6.1.1cpe:2.3:a:ibm:control_desk:7.6.1.1:*:*:*:*:*:*:*
ibmcontrol_desk7.6.1cpe:2.3:a:ibm:control_desk:7.6.1:*:*:*:*:*:*:*
ibmmaximo_spatial_asset_management7.6.0.5cpe:2.3:a:ibm:maximo_spatial_asset_management:7.6.0.5:*:*:*:*:*:*:*
ibmmaximo_spatial_asset_management7.6.0.4cpe:2.3:a:ibm:maximo_spatial_asset_management:7.6.0.4:*:*:*:*:*:*:*
ibmmaximo_spatial_asset_management7.6.0.3cpe:2.3:a:ibm:maximo_spatial_asset_management:7.6.0.3:*:*:*:*:*:*:*
ibmmaximo_spatial_asset_management7.6.0.2cpe:2.3:a:ibm:maximo_spatial_asset_management:7.6.0.2:*:*:*:*:*:*:*
ibmmaximo_asset_configuration_manager7.6.6cpe:2.3:a:ibm:maximo_asset_configuration_manager:7.6.6:*:*:*:*:*:*:*
ibmmaximo_asset_configuration_manager7.6.7cpe:2.3:a:ibm:maximo_asset_configuration_manager:7.6.7:*:*:*:*:*:*:*
ibmmaximo_for_nuclear_power7.6.1cpe:2.3:a:ibm:maximo_for_nuclear_power:7.6.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	maximo_asset_management	7.6.1	cpe:2.3:a:ibm:maximo_asset_management:7.6.1:::::::*
ibm	control_desk	7.6.1.1	cpe:2.3:a:ibm:control_desk:7.6.1.1:::::::*
ibm	control_desk	7.6.1	cpe:2.3:a:ibm:control_desk:7.6.1:::::::*
ibm	maximo_spatial_asset_management	7.6.0.5	cpe:2.3:a:ibm:maximo_spatial_asset_management:7.6.0.5:::::::*
ibm	maximo_spatial_asset_management	7.6.0.4	cpe:2.3:a:ibm:maximo_spatial_asset_management:7.6.0.4:::::::*
ibm	maximo_spatial_asset_management	7.6.0.3	cpe:2.3:a:ibm:maximo_spatial_asset_management:7.6.0.3:::::::*
ibm	maximo_spatial_asset_management	7.6.0.2	cpe:2.3:a:ibm:maximo_spatial_asset_management:7.6.0.2:::::::*
ibm	maximo_asset_configuration_manager	7.6.6	cpe:2.3:a:ibm:maximo_asset_configuration_manager:7.6.6:::::::*
ibm	maximo_asset_configuration_manager	7.6.7	cpe:2.3:a:ibm:maximo_asset_configuration_manager:7.6.7:::::::*
ibm	maximo_for_nuclear_power	7.6.1	cpe:2.3:a:ibm:maximo_for_nuclear_power:7.6.1:::::::*