Lucene search

K
ibmIBM22A030E6CCF7321869893DDC276B180581DE3AB501B3756B2F3E4CEFB8A0EE61
HistoryJan 31, 2024 - 2:15 a.m.

Security Bulletin: IBM Spectrum Conductor provides upgraded software packages to address known CVEs

2024-01-3102:15:11
www.ibm.com
22
ibm spectrum conductor
upgraded software
known cves
security fix
fix 601861
linux environment
ibm spectrum symphony
spark fix id

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

AI Score

7.2

Confidence

Low

EPSS

0.005

Percentile

75.4%

IBM Spectrum Conductor 2.5.1 Fix 601861 provides upgraded software packages to address known CVEs. Several software versions have been upgraded with Fix 601861.

IBM Spectrum Conductor 2.5.1 Fix 601861 is a security fix that provides upgraded versions of software packages included with IBM Spectrum Conductor. The software has been upgraded to address known CVEs, as follows:

Software Upgraded in Fix 601861 to this version CVE
bcprov-jdk15on 1.77 CVE-2023-33201
Internet Systems Consortium (ISC) BIND (libbind) 9.18.19 CVE-2023-3341
jQuery.dataTables 1.11.3 CVE-2021-23445
jQuery-ui 1.13.2 CVE-2021-41184, CVE-2022-31160, CVE-2021-41183, CVE-2021-41182
Kotlin-stdlib 1.9.20 CVE-2022-24329
Logback Classic 1.0.7 CVE-2023-6481
Netty 4.1.99 CVE-2023-34462
Okio 3.4.0 CVE-2023-3635
Python URLlib3 1.26.18 CVE-2023-43804
CVE-2023-45803
Spring Security 5.8.8 CVE-2023-34042

The IBM Spectrum Conductor 2.5.1 Fix 601861 offering is available for 64-bit Linux x86 and Linux on POWER. It is a security fix for IBM Spectrum Conductor, to be applied on top of your version 2.5.1 Fix 601712 installation (including any fixes you may have already installed on top of version 2.5.1).

Fix 60861 is not a mandatory fix; you can apply other fixes on top of IBM Spectrum Conductor 2.5.1 Fix 601712 without applying Fix 601861. Fix 601861 is, however, one that provides optimal security.

The IBM Spectrum Conductor installation includes various software, as listed in IBM Documentation. Some of the software packages have been identified with common vulnerabilities exposures (CVEs). Fix 601861 provides upgraded versions of the affected software, so that you can continue to use IBM Spectrum Conductor 2.5.1 security. For improved security, apply Fix 601861.

For a Linux environment with IBM Spectrum Symphony, always install IBM Spectrum Symphony 7.3.2 Fix 601860 first, and then install IBM Spectrum Conductor 2.5.1 Fix 601861.

IBM Spectrum Conductor with Spark Fix ID: sc-2.5.1-build601861

[{“Type”:“MASTER”,“Line of Business”:{“code”:“LOB10”,“label”:“Data and AI”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Product”:{“code”:“SS4H63”,“label”:“IBM Spectrum Conductor”},“ARM Category”:[{“code”:“a8m0z000000GoxiAAC”,“label”:“Patch”}],“ARM Case Number”:“”,“Platform”:[{“code”:“PF016”,“label”:“Linux”}],“Version”:“2.5.1”}]

Affected configurations

Vulners
Node
ibmspectrum_controlMatch2.5.1
CPENameOperatorVersion
ibm spectrum conductoreq2.5.1

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

AI Score

7.2

Confidence

Low

EPSS

0.005

Percentile

75.4%