Security Bulletin: IBM Security Verify Access is vulnerable to multiple Security Vulnerabilities

Summary

The IBM Security Verify Access Appliance and IBM Security Verify Access Container has addressed multiple vulnerabilities in release 10.0.0.8.

Vulnerability Details

CVEID:CVE-2024-31883
**DESCRIPTION:**IBM Security Verify Access, under certain configurations, could allow an unauthenticated attacker to cause a denial of service due to asymmetric resource consumption.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287615 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2019-20916
**DESCRIPTION:**pypa pip package for python could allow a remote attacker to traverse directories on the system, caused by a flaw when installing package via a specified URL. An attacker could use a specially-crafted Content-Disposition header with filename containing “dot dot” sequences (/…/) to overwrite arbitrary files on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/187855 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L)

CVEID:CVE-2021-3572
**DESCRIPTION:**pip package for python could allow a remote authenticated attacker to bypass security restrictions, caused by the improper handling of Unicode separators in git references. By creating a specially crafted tag, an attacker could exploit this vulnerability to install a different revision on a repository.
CVSS Base score: 4.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208954 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-5752
**DESCRIPTION:**Python Packaging Authority pip could allow a local authenticated attacker to bypass security restrictions, caused by a flaw when installing a package from a Mercurial VCS URL. By sending a specially-crafted request, an attacker could exploit this vulnerability to inject arbitrary configuration options to the “hg clone” call to modify how and which repository is installed.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269797 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-30430
**DESCRIPTION:**IBM Security Access Manager could allow a local user to obtain sensitive information from trace logs.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/252183 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM encourages customers to update their systems promptly.

IBM Security Verify Access (Docker Container)

• Obtain the latest version of the container by running the command “docker pull icr.io/isva/verify-access:[tag]”

Where [tag] is the latest published version and can be confirmed here.

For the ISAM/ISVA appliances

• Obtain the latest version by obtaining the fix at the location shown below:

Affected Products and Versions

|

Fix availability

—|—

IBM Security Verify Access 10.0.0.0 - 10.0.7.1

|

10.0.8-ISS-ISVA-FP0000

Workarounds and Mitigations

None