Lucene search

IBME6DE7188BBD659AF8007C96CE9BF6F13C848E30542B025BF1266D0EC7867BE37

HistoryFeb 15, 2024 - 7:37 p.m.

Security Bulletin: IBM Copy Services manager is affected by IBM SDK, Java Technology Edition Quarterly CPU - Oct 2023 - Includes Oracle October 2023 CPU plus CVE-2023-5676

2024-02-1519:37:34

www.ibm.com

ibm copy services manager

java se cves

oracle october 2023

upgrade

data integrity threats

eclipse openj9

mitigations

network access restriction

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.1

Confidence

High

EPSS

0.001

Percentile

31.4%

JSON

Summary

IBM Copy Services Manager is affected by All applicable Java SE CVEs published by Oracle as part of their October 2023 Critical Patch Update plus CVE-2023-5676.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Copy Services Manager	6.3.9

Remediation/Fixes

Upgrade to Copy Services Manager 6.3.9 to pick up an updated version of Java 11.

Data integrity threats:

CVEID: CVE-2023-22081
Description: An unspecified vulnerability in Java SE related to the JSSE component could allow a remote attacker to cause no confidentiality impact, no integrity impact, and low availability impact.
CVSS Base Score: 5.3
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/268929> for more information
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Platforms: Oracle Java SE 8u381

CVEID: CVE-2023-22067
Description: An unspecified vulnerability in Java SE related to the CORBA component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 5.3
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/268928> for more information
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Platforms: Oracle Java SE 8u381

CVEID: CVE-2023-5676
Description: Eclipse OpenJ9 is vulnerable to a denial of service, caused by a flaw when a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause an infinite busy hang on a spinlock or a segmentation fault.
CVSS Base Score: 4.1
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/271615> for more information
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)
Affected Platforms: Eclipse OpenJ9 0.40.0<https://www.ibm.com/support/pages/node/7078433>

Workarounds and Mitigations

Although IBM recommends that you upgrade to the fixes identified above, you can mitigate, but not eliminate the risk of these vulnerabilities by restricting physical and network access to the Copy Services Manager Server to authorized users and IBM Service Personnel only.

Affected configurations

Vulners

Node

ibmibm_copy_services_manager_\(csm\)_-_removeMatch6.3.2

VendorProductVersionCPE
ibmibm_copy_services_manager_\(csm\)_-_remove6.3.2cpe:2.3:a:ibm:ibm_copy_services_manager_\(csm\)_-_remove:6.3.2:*:*:*:*:*:*:*