Lucene search

IBM0DFA0C9BCF6E083B2A49DFA65CF8DAE2A06F7F5FE154ECEE0535AB1B2D9828AE

HistoryOct 19, 2023 - 11:13 a.m.

Security Bulletin: IBM Operational Decision Manager October 2023 - Multiple CVEs addressed

2023-10-1911:13:55

www.ibm.com

ibm operational decision manager

remote code execution

denial of service

multiple cves

apache tomcat

jetty

vulnerabilities

ibm fix central

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.007

Percentile

81.0%

JSON

Summary

IBM Operational Decision Manager is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed.

Vulnerability Details

CVEID:CVE-2023-41080
**DESCRIPTION:**Apache Tomcat could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the FORM authentication feature. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264483 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-40167
**DESCRIPTION:**Jetty is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP/1 request header. By sending a specially crafted request, a remote attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Operational Decision Manager	8.10.x
IBM Operational Decision Manager	8.11.x
IBM Operational Decision Manager	8.12.x

Remediation/Fixes

IBM Operational Decision Manager V8.10.5.1:
Interim fix 044 is available from IBM Fix Central:

8.10.5.1-WS-ODM_K8S-PPC64LE-IF044
8.10.5.1-WS-ODM_K8S-LIN_X86-IF044
8.10.5.1-WS-ODM_DC-IF044
8.10.5.1-WS-ODM_DS-IF044

IBM Operational Decision Manager V8.11.0.1:
Interim fix 024 is available from IBM Fix Central:

8.11.0.1-WS-ODM-IF024
8.11.0.1-WS-ODM_K8S-PPC64LE-IF024
8.11.0.1-WS-ODM_K8S-LIN_S390-IF024
8.11.0.1-WS-ODM_K8S-LIN_X86-IF024

IBM Operational Decision Manager V8.11.1:
Interim fix 013 is available:

8.11.1.0-WS-ODM-IF013:
- IBM Fix Central Download link
ODM Chart 22.2.13 based on ODM 8.11.1.0-IF013
- ibm-odm-prod-22.2.13.tgz Helm Chart Download link
- ibm-odm-prod-1.5.13 CASE Download link

IBM Operational Decision Manager V8.12.0:
Interim fix 005 is available:

8.12.0.0-WS-ODM-IF005:
- IBM Fix Central Download link
ODM Chart 23.1.5 based on ODM 8.12.0.0-IF005
- ibm-odm-prod-23.1.5.tgz Helm Chart Download link
- ibm-odm-prod-1.6.5 CASE Download link

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmoperational_decision_managerMatch8.10.

ibmoperational_decision_managerMatch8.11.

ibmoperational_decision_managerMatch8.12.

VendorProductVersionCPE
ibmoperational_decision_manager8.10.cpe:2.3:a:ibm:operational_decision_manager:8.10.:*:*:*:*:*:*:*
ibmoperational_decision_manager8.11.cpe:2.3:a:ibm:operational_decision_manager:8.11.:*:*:*:*:*:*:*
ibmoperational_decision_manager8.12.cpe:2.3:a:ibm:operational_decision_manager:8.12.:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	operational_decision_manager	8.10.	cpe:2.3:a:ibm:operational_decision_manager:8.10.:::::::*
ibm	operational_decision_manager	8.11.	cpe:2.3:a:ibm:operational_decision_manager:8.11.:::::::*
ibm	operational_decision_manager	8.12.	cpe:2.3:a:ibm:operational_decision_manager:8.12.:::::::*