Security Bulletin: IBM i Access Client Solutions is vulnerable to a remote attacker bypassing integrity checks in Apache Mina SSHD Common (CVE-2023-48795)

Summary

IBM i Access Client Solutions is vulnerable to a remote attacker bypassing integrity checks (CVE-2023-48795) found in Apache Mina SSHD Common. Apache Mina SSHD Common is used by the Open Source Package Manager feature of IBM i Access Client Solutions when authenticating to the IBM i server. This bulletin identifies the steps to take to address the vulnerability as described in the remediation/fixes section.

Vulnerability Details

CVEID:CVE-2023-48795
**DESCRIPTION:**OpenSSH is vulnerable to a machine-in-the-middle attack, caused by a flaw in the extension negotiation process in the SSH transport protocol when used with certain OpenSSH extensions. A remote attacker could exploit this vulnerability to launch a machine-in-the-middle attack and strip an arbitrary number of messages after the initial key exchange, breaking SSH extension negotiation and downgrading the client connection security.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275282 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

The issue can be fixed by upgrading to version 1.1.9.5 or later. See IBM i Access Client Solutions updates for the latest version available.

Product(s)

|

Version(s)

|

Remediation/Fix/Instructions

—|—|—

IBM i Access Client Solutions

|

1.1.2 - 1.1.4,
1.1.4.3 - 1.1.9.4

|

The current version of IBM i Access Client Solutions is available at Downloads.

Or you may download it from the general IBM i software site at
Entitled Systems Support (ESS).

Workarounds and Mitigations

None