Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities

Summary

There are multiple vulnerabilities in components of IBM i Modernization Engine for Lifecycle Integration as described in the Vulnerability Details section. The Bouncy Castle Crypto Package For Java could allow a remote authenticated attacker to obtain sensitive information (CVE-2024-30171) and is vulnerable to a denial of service (CVE-2024-29857 and CVE-2024-30172). Protocol Buffers protobuf-go is vulnerable to a denial of service (CVE-2024-24786). Keycloak is vulnerable to cross-site request forgery (CVE-2024-5203), could allow a remote authenticated attacker to bypass security restrictions (CVE-2023-3597), and could allow a remote attacker to conduct phishing attacks (CVE-2024-2419). Node.je decompress could allow a remote attacker to traverse directories on the system (CVE-2020-12265). These components are used in IBM i Modernization Engine for Lifecycle Integration for infrastructure support in the platform. This bulletin identifies the steps to take to address the vulnerabilities as described in the remediation/fixes section.

Vulnerability Details

CVEID:CVE-2024-30171
**DESCRIPTION:**The Bouncy Castle Crypto Package For Java could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the RSA decryption (both PKCS#1v1.5 and OAEP) feature. By utilize timing side-channel attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/289411 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-5203
**DESCRIPTION:**Keycloak in is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to /login-actions/authenticate. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/294938 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)

CVEID:CVE-2020-12265
**DESCRIPTION:**Node.je decompress could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to containing ‘…/’ in an archive member to modify arbitrary files on the system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180868 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-3597
**DESCRIPTION:**Keycloak could allow a remote authenticated attacker to bypass security restrictions, caused by improper validating client step-up authentication in org.keycloak.authentication. By sending a specially crafted request, an attacker could exploit this vulnerability to register a false second authentication factor along with an existing one and bypass authentication.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/289399 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2024-29857
**DESCRIPTION:**The Bouncy Castle Crypto Package For Java is vulnerable to a denial of service, caused by improper input validation. By importing an EC certificate with crafted F2m parameters, a remote attacker could exploit this vulnerability to cause excessive CPU consumption.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/290285 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-2419
**DESCRIPTION:**Keycloak could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the redirect_uri validation logic. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288179 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L)

CVEID:CVE-2024-30172
**DESCRIPTION:**The Bouncy Castle Crypto Package For Java is vulnerable to a denial of service, caused by an infinite loop in the Ed25519 verification code. By persuading a victim to use a specially crafted signature and public key, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/290103 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-24786
**DESCRIPTION:**Protocol Buffers protobuf-go is vulnerable to a denial of service, caused by an infinite loop flaw in the rotojson.Unmarshal function when unmarshaling certain forms of invalid JSON. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285337 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

Workarounds and Mitigations

None