Lucene search

IBM019BC64BD7D7A3CBDE3F86A7E9C26B39FC52E1FFA89C93A2C2554ABE2AE28C7B

HistorySep 11, 2024 - 11:24 a.m.

Security Bulletin: Multiple Vulnerabilities in IBM Application Performance Management Core Framework.

2024-09-1111:24:19

www.ibm.com

ibm application performance management

core framework

vulnerabilities

java se

object request broker

eclipse openj9

confidentiality

integrity

availability

apm agents

cloud apm

interim fix.

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.4

Confidence

High

JSON

Summary

Multiple vulnerabilities were addressed in IBM Application Performance Management 8.1.4.0 Core Framework IF27 patch.

Vulnerability Details

CVEID:CVE-2024-21094
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287959 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2024-21085
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288000 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2024-21011
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288020 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-38264
**DESCRIPTION:**The IBM SDK, Java Technology Edition’s Object Request Broker (ORB) 7.1.0.0 through 7.1.5.21 and 8.0.0.0 through 8.0.8.21 is vulnerable to a denial of service attack in some circumstances due to improper enforcement of the JEP 290 MaxRef and MaxDepth deserialization filters. IBM X-Force ID: 260578.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260578 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-3933
**DESCRIPTION:**Eclipse Openj9 could allow a local authenticated attacker to bypass security restrictions, caused by the failure to restrict access to a buffer with an incorrect length value when executing an arraycopy sequence while the Concurrent Scavenge Garbage Collection cycle is active and the source and destination memory regions for arraycopy overlap. By sending a specially crafted request, an attacker could exploit this vulnerability to gain read and write to addresses beyond the end of the array range.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292491 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
APM Agents for Monitoring	APM agents using core framework version 8.1.4 to 8.1.4 IF26 patch

Remediation/Fixes

Product| Product
VRMF| Remediation
—|—|—

IBM Cloud Application Performance Management, Base Private

IBM Cloud Application Performance Management, Advanced Private

| 8.1.4|

The vulnerabilities can be remediated by applying the Core Framework interim fix8.1.4.0-IBM-APM-CORE-FRAMEWORK-APM-IF0027 to all systems where Cloud APM agents are installed:

<https://www.ibm.com/support/pages/node/7167581>

IBM Cloud Application Performance Management| N/A| After your subscription is upgraded to V8.1.4, the vulnerabilities can be remediated by either

a) downloading the Core Framework interim fix 8.1.4.0-IBM-APM-CORE-FRAMEWORK-APM-IF0027 to all systems where Cloud APM agents are installed and applying the fix by following the instructions at this link:
<https://www.ibm.com/support/pages/node/7167581>

b) downloading the Cloud APM agent packages for the operating systems that your agents run on and using the downloaded packages to upgrade existing agents to use the updated Core Framework or to install new agents with the updated Core Framework.

Please refer to the link <https://www.ibm.com/support/knowledgecenter/SSMKFH/com.ibm.apmaas.doc/install/download_agents_intro.htm> for details on downloading agent packages from IBM Marketplace

Please refer to the link <https://www.ibm.com/support/knowledgecenter/SSMKFH/com.ibm.apmaas.doc/install/install_agent_upgrade.htm>
for details on upgrading existing agents.

Please refer to the link <https://www.ibm.com/support/knowledgecenter/SSMKFH/com.ibm.apmaas.doc/install/install_intro.htm>
for details on installing new agents.

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapplication_performance_managementMatch8.1.3

ibmapplication_performance_managementMatch8.1.4

VendorProductVersionCPE
ibmapplication_performance_management8.1.3cpe:2.3:a:ibm:application_performance_management:8.1.3:*:*:*:*:*:*:*
ibmapplication_performance_management8.1.4cpe:2.3:a:ibm:application_performance_management:8.1.4:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	application_performance_management	8.1.3	cpe:2.3:a:ibm:application_performance_management:8.1.3:::::::*
ibm	application_performance_management	8.1.4	cpe:2.3:a:ibm:application_performance_management:8.1.4:::::::*