Lucene search

IBMDD0242BF5A2BD5E80173BDEE56C8A2B9368818D8BCCDB33834CD9E78CB29208B

HistoryJul 24, 2023 - 8:36 p.m.

Security Bulletin: VMware Tanzu Spring Security is vulnerable to CVE-2022-31692 and CVE-2023-20862 used in IBM Maximo Application Suite - Monitor Component

2023-07-2420:36:49

www.ibm.com

ibm maximo application suite

monitor component

vmware tanzu spring security

cve-2022-31692

cve-2023-20862

remote attacker

bypass security restrictions

authorization rules

logout support feature

affected products

versions

remediation

fixes

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

48.4%

JSON

Summary

IBM Maximo Application Suite - Monitor Component uses VMware Tanzu Spring Security which is vulnerable to CVE-2022-31692 and CVE-2023-20862.

Vulnerability Details

CVEID:CVE-2022-31692
**DESCRIPTION:**VMware Tanzu Spring Security could allow a remote attacker to bypass security restrictions, caused by a flaw when using forward or include dispatcher types. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass authorization rules.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239162 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-20862
**DESCRIPTION:**VMware Tanzu Spring Security could allow a remote attacker to bypass security restrictions, caused by the logout support feature does not properly clean the security context if using serialized versions. By sending a specially-crafted request, an attacker could exploit this vulnerability to remain authenticated after logout is performed.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253351 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Maximo Application Suite - Monitor Component	8.9
IBM Maximo Application Suite - Monitor Component	8.10

Remediation/Fixes

Affected Product(s)	Fixpack Version(s)
IBM Maximo Application Suite - Monitor Component	8.9.6 or latest (available from the Catalog under Update Available)
IBM Maximo Application Suite - Monitor Component	8.10.4 or latest (available from the Catalog under Update Available)

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmmaximo_application_suiteMatch8.9

ibmmaximo_application_suiteMatch8.10

VendorProductVersionCPE
ibmmaximo_application_suite8.9cpe:2.3:a:ibm:maximo_application_suite:8.9:*:*:*:*:*:*:*
ibmmaximo_application_suite8.10cpe:2.3:a:ibm:maximo_application_suite:8.10:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	maximo_application_suite	8.9	cpe:2.3:a:ibm:maximo_application_suite:8.9:::::::*
ibm	maximo_application_suite	8.10	cpe:2.3:a:ibm:maximo_application_suite:8.10:::::::*