Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities

Summary

There are multiple vulnerabilities in components of IBM i Modernization Engine for Lifecycle Integration as described in the Vulnerability Details section. VMware Tanzu Spring Security and Spring Framework could allow a remote attacker to bypass security restrictions. VMware Tanzu Spring Vault could allow a local authenticated attacker to obtain sensitive information. VMware Tanzu Spring Framework is vulnerable to a denial of service. The IBM Toolbox for Java could allow a user to obtain sensitive information. Hutool is vulnerable to a denial of service, caused by stack-based buffer overflow. Apache Commons FileUpload and Tomcat are vulnerable to a denial of service. snakeYAML is vulnerable to a denial of service. These components are used in IBM i Modernization Engine for Lifecycle Integration for infrastructure support in the platform. IBM has addressed the vulnerabilities in IBM i Modernization Engine for Lifecycle Integration with updates to affected components.

Vulnerability Details

CVEID:CVE-2023-20862
**DESCRIPTION:**VMware Tanzu Spring Security could allow a remote attacker to bypass security restrictions, caused by the logout support feature does not properly clean the security context if using serialized versions. By sending a specially-crafted request, an attacker could exploit this vulnerability to remain authenticated after logout is performed.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253351 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-43928
**DESCRIPTION:**The IBM Toolbox for Java (Db2 Mirror for i 7.4 and 7.5) could allow a user to obtain sensitive information, caused by utilizing a Java string for processing. Since Java strings are immutable, their contents exist in memory until garbage collected. This means sensitive data could be visible in memory over an indefinite amount of time. IBM has addressed this issue by reducing the amount of time the sensitive data is visible in memory. IBM X-Force ID: 241675.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241675 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-45688
**DESCRIPTION:**Hutool is vulnerable to a denial of service, caused by stack-based buffer overflow. By persuading a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242881 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-24998
**DESCRIPTION:**Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by not limit the number of request parts to be processed in the file upload function. By sending a specially-crafted request with series of uploads, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247895 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-41854
**DESCRIPTION:**snakeYAML is vulnerable to a denial of service, caused by improper input validation. By persuading a victim to open a specially-crafted YAML content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240890 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-20860
**DESCRIPTION:**VMware Tanzu Spring Framework could allow a remote attacker to bypass security restrictions, caused by the use of an un-prefixed double wildcard pattern with the mvcRequestMatcher in Spring Security configuration. An attacker could exploit this vulnerability to create a mismatch in pattern matching between Spring Security and Spring MVC.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250679 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2023-20859
**DESCRIPTION:**VMware Tanzu Spring Vault could allow a local authenticated attacker to obtain sensitive information, caused by the insertion of sensitive information into log sourced from failed revocation of tokens. By gaining access to the log files, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250863 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2023-20861
**DESCRIPTION:**VMware Tanzu Spring Framework is vulnerable to a denial of service. By sending a specially crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250701 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-20863
**DESCRIPTION:**VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/252807 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

Workarounds and Mitigations

None