Security Bulletin: IBM Sterling Control Center v6.2.1 and v6.3.1 is vulnerable with IBM Semeru Runtime Quarterly CPU - Oct 2023

Summary

IBM Semeru Runtime Quarterly CPU - Apr 2023 - Includes OpenJDK October 2023 CPU plus CVE-2023-4807 and CVE-2023-5676 and affecting Sterling Control Center v6.2.1 and v6.3.1.

Vulnerability Details

CVEID:CVE-2023-22081
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow a remote attacker to cause no confidentiality impact, no integrity impact, and low availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268929 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-22067
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the CORBA component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268928 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-4807
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a state corruption flaw in the POLY1305 MAC (message authentication code) implementation, when running on newer X86_64 processors supporting the AVX512-IFMA instructions. A local authenticated attacker could exploit this vulnerability to cause an incorrect result of some application dependent calculations or a crash or in some cases gain complete control of the application process.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265578 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-5676
**DESCRIPTION:**Eclipse OpenJ9 is vulnerable to a denial of service, caused by a flaw when a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause an infinite busy hang on a spinlock or a segmentation fault.
CVSS Base score: 4.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271615 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

Product

|

Version

|

Remediation

—|—|—

IBM Sterling Control Center

|

6.3.1.0 GA through iFix02

|

6.3.1.0 iFix02 Fix Central - 6.3.1.0

IBM Sterling Control Center

|

6.2.1.0 GA through iFix13

|

6.2.1.0 iFix13 Fix Central - 6.2.1.0

Workarounds and Mitigations

• 6.3.1 CVE’s update:

  • CVE-2023-22081 fixed in 17.0.9
  • CVE-2023-22067 - Control 6.3.1 uses java 17. This vulnerabilities is related to jdk8 so control center 6.3.1 is not affected Ref: <https://www.ibm.com/support/pages/semeru-runtimes-security-vulnerabilites&gt;
  • CVE-2023-4807 fixed in 17.0.9
  • CVE-2023-5676 fixed in 17.0.9

• Above vulnerabilities are fixed in 6.3.1 ifix02 with the recent upgrade to 17.0.10.

• 6.2.1 CVE’s updated:

  • CVE-2023-22081 - fixed in 8.0.8.15.
  • CVE-2023-22067 - fixed in 8.0.8.15.
  • CVE-2023-4807 - NA,
  • CVE-2023-5676 - fixed in 8.0.8.15.

• Above vulnerabilities are fixed in 6.2.1 ifix13 with the java version upgrade to 8.0.8.20