Lucene search

IBM1021F5082049D88F926BFC576230D858A71EE6F6A41A3266D1A5C7D22FBF84C4

HistoryMay 02, 2024 - 7:25 p.m.

Security Bulletin: Apache Commons Compress is vulnerable to CVE-2024-26308 and CVE-2024-25710 used in IBM Maximo Application Suite - Monitor Component

2024-05-0219:25:10

www.ibm.com

ibm maximo

apache commons compress

vulnerability

cve-2024-26308

cve-2024-25710

denial of service

8.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

5.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.0%

JSON

Summary

IBM Maximo Application Suite - Monitor Component uses Apache Commons Compress which is vulnerable to CVE-2024-26308 and CVE-2024-25710. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2024-26308
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error. By persuading a victim to open a specially crafted Pack200 file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283469 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-25710
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially crafted DUMP file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283472 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Maximo Application Suite - Monitor Component	8.11
IBM Maximo Application Suite - Monitor Component	8.10

Remediation/Fixes

Affected Product(s)	Fixpack Version(s)
IBM Maximo Application Suite - Monitor Component	8.11.6 or latest (available from the Catalog under Update Available)
IBM Maximo Application Suite - Monitor Component	8.10.9 or latest (available from the Catalog under Update Available)

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmmaximo_application_suiteMatch8.11

ibmmaximo_application_suiteMatch8.10

CPENameOperatorVersion
ibm maximo application suiteeq8.11
ibm maximo application suiteeq8.10

CPE	Name	Operator	Version
	ibm maximo application suite	eq	8.11
	ibm maximo application suite	eq	8.10

8.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

5.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.0%

JSON

Related for 1021F5082049D88F926BFC576230D858A71EE6F6A41A3266D1A5C7D22FBF84C4