Security Bulletin: IBM License Key Server Administration Agent is vulnerable to a remote code attack in Apache Commons (CVE-2024-29131, CVE-2024-29133)

Summary

IBM LKS Administration Agent is vulnerable to a remote code execution in Apache Commons

Vulnerability Details

CVEID:CVE-2024-29131
**DESCRIPTION:**Apache Commons Configuration could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286004 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2024-29133
**DESCRIPTION:**Apache Commons Configuration could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286005 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Remediation/Fixes

The CVE-2024-29131, CVE-2024-29133 flaw lies in Apache Commons Configuration library, which has now been upgraded.
IBM strongly recommends addressing the Apache Commons vulnerability in IBM Common Licensing now by applying the suggested fix that uses a newer version with the vulnerability resolved.

Apply IBM LKS Administration Agent 9.0.0.1 from Fix Central.

Workarounds and Mitigations

None