Security Bulletin: Multiple Security Vulnerabilities were identified in IBM Security Verify Access (CVE-2023-46158, CVE-2023-0482, CVE-2022-46364, CVE-2023-28867)

Summary

Security Vulnerability fixes in IBM WebSphere Application Server Liberty and other components have been addressed in an update to IBM Security Verify Access.

Vulnerability Details

CVEID:CVE-2023-46158
**DESCRIPTION:**IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide weaker than expected security due to improper resource expiration handling. IBM X-Force ID: 268775.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268775 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2023-0482
**DESCRIPTION:**RESTEasy could allow a local authenticated attacker to gain elevated privileges on the system, caused by the creation of insecure temp files in the File.createTempFile() used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246304 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2022-46364
**DESCRIPTION:**Apache CXF is vulnerable to server-side request forgery, caused by a flaw in parsing the href attribute of XOP:Include in MTOM requests. By using a specially-crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242008 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-28867
**DESCRIPTION:**GraphQL Java is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially crafted GraphQL query, a remote attacker could exploit this vulnerability to cause a stack consumption.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251003 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

IBM encourages customers to update their systems promptly.

IBM Security Verify Access (Docker Container)

• Obtain the latest version of the container by running the command “docker pull icr.io/isva/verify-access:[tag]”

Where [tag] is the latest published version and can be confirmed here.

For the ISAM/ISVA appliances

• Obtain the latest version by obtaining the fix at the location shown below:

Affected Products and Versions

|

Fix availability

—|—

IBM Security Verify Access 10.0.0.0

|

10.0.7-ISS-ISVA-FP0000

Workarounds and Mitigations

None