Security Bulletin: TLS 1.0 and TLS 1.1 is enabled in IBM Safer Payments (CVE-2023-27557)

Summary

IBM Safer Payments had older TLS 1.0 and TLS 1.1 protocols enabled by default. These protocols are now disabled.

Vulnerability Details

CVEID:CVE-2023-27557
**DESCRIPTION:**IBM Counter Fraud Management for Safer Payments uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249192 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s): IBM Safer Payments

Version(s): 6.1.0.00 - 6.1.1.02, 6.2.0.00 - 6.2.2.02, 6.3.0.00 - 6.3.1.02, 6.4.0.00 - 6.4.2.01, and 6.5.0.00

Remediation/Fixes

Update IBM Safer Payments to version 6.1.1.03, 6.2.2.03, 6.3.1.03, 6.4.2.02, 6.5.0.01 or higher.

Refer to the IBM Safer Payments documentation to download the updates.

Workarounds and Mitigations

Configure IBM Safer Payments to reject TLS versions 1.0 and 1.1. Refer to the implementation guides.

IBM Safer Payments 6.1: <https://www.ibm.com/docs/en/safer-payments/6.1?topic=configuration-configure-ssl-encryption&gt;

IBM Safer Payments 6.2: <https://www.ibm.com/docs/en/safer-payments/6.2?topic=configuration-configure-ssl-encryption&gt;

IBM Safer Payments 6.3: <https://www.ibm.com/docs/en/safer-payments/6.3?topic=configuration-configure-ssl-encryption&gt;

IBM Safer Payments 6.4: <https://www.ibm.com/docs/en/safer-payments/6.4?topic=configuration-configuring-ssl-encryption&gt;

IBM Safer Payments 6.5: <https://www.ibm.com/docs/en/safer-payments/6.5?topic=configuration-configuring-ssl-encryption&gt;