Lucene search

IBMDD746CE0659BFFF3160A4CDCD03917BE160AB5EA0FBB3B6DF3E10CA99CDFCCF3

HistoryApr 10, 2024 - 4:22 p.m.

Security Bulletin: Multiple Security Vulnerabilities were found in Open Source libraries used to deploy IBM Security Verify Access Appliances (CVE-2024-31871, CVE-2024-31872, CVE-2024-31873, CVE-2024-31874)

2024-04-1016:22:23

www.ibm.com

ibm security verify access

open source

appliance

vulnerabilities

cvs score

github

python

scripts

certificate validation

uninitialized variables

hard-coded credentials

man in the middle attack

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.5

Confidence

High

EPSS

Percentile

9.0%

JSON

Summary

An Open Source repository of python deployment scripts for ISVA Appliance is published on GitHub at https://github.com/IBM-Security/ibmsecurity. Vulnerabilities reported in the public repository have been addressed.

Vulnerability Details

CVEID:CVE-2024-31872
**DESCRIPTION:**IBM Security Verify Access Appliance could allow a malicious actor to conduct a man in the middle attack when deploying Open Source scripts due to missing certificate validation.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287316 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2024-31874
**DESCRIPTION:**IBM Security Verify Access Appliance uses uninitialized variables when deploying that could allow a local user to cause a denial of service.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287318 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-31873
**DESCRIPTION:**IBM Security Verify Access Appliance contains hard-coded credentials which it uses for its own inbound authentication that could be obtained by a malicious actor.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287317 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-31871
**DESCRIPTION:**IBM Security Verify Access Appliance could allow a malicious actor to conduct a man in the middle attack when deploying Python scripts due to improper certificate validation.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287306 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Security Verify Access	10.0.X

Remediation/Fixes

IBM strongly recommends that customers update their systems promptly.

The updated libraries are available on the public GitHub repository, at <https://github.com/IBM-Security/ibmsecurity>.

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmsecurity_access_manager_applianceMatch10.0.0

ibmsecurity_access_manager_applianceMatch10.0.7

VendorProductVersionCPE
ibmsecurity_access_manager_appliance10.0.0cpe:2.3:a:ibm:security_access_manager_appliance:10.0.0:*:*:*:*:*:*:*
ibmsecurity_access_manager_appliance10.0.7cpe:2.3:a:ibm:security_access_manager_appliance:10.0.7:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	security_access_manager_appliance	10.0.0	cpe:2.3:a:ibm:security_access_manager_appliance:10.0.0:::::::*
ibm	security_access_manager_appliance	10.0.7	cpe:2.3:a:ibm:security_access_manager_appliance:10.0.7:::::::*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.5

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for DD746CE0659BFFF3160A4CDCD03917BE160AB5EA0FBB3B6DF3E10CA99CDFCCF3