Lucene search

IBM313B89F3101D8EA5E5C2B489E75A448ED52F1E161AD0783CA7ACA6BBC66751AE

HistoryOct 05, 2023 - 8:39 p.m.

Security Bulletin: IBM Security Verify Directory products have multiple security vulnerabilities (CVE-2022-33164, CVE-2022-33168, CVE-2022-33161, CVE-2022-32755)

2023-10-0520:39:29

www.ibm.com

ibm security verify directory

ibm security directory suite

ibm security directory server

vulnerabilities

remote attacker

sensitive information

http strict transport security

denial of service

xml external entity injection

fix availability

update prompt

0.001 Low

EPSS

Percentile

34.8%

JSON

Summary

Several vulnerabilities have been addressed in IBM Security Directory Server, IBM Security Directory Suite, and IBM Security Verify Directory products.

Vulnerability Details

CVEID:CVE-2022-33164
**DESCRIPTION:**IBM Security Directory Server 7.2.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing “dot dot” sequences (/…/) to view or write to arbitrary files on the system. IBM X-Force ID: 228579.
CVSS Base score: 8.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228579 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H)

CVEID:CVE-2022-33161
**DESCRIPTION:**IBM Security Directory Server could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228569 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-32755
**DESCRIPTION:**IBM Security Directory Server is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228505 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H)

CVEID:CVE-2022-33168
**DESCRIPTION:**IBM Security Directory Suite VA 8.0.1 could allow an attacker to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 228588.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228588 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Security Directory Server	6.4.0
IBM Security Directory Suite	8.0.1
IBM Security Verify Directory	10.0.0

Remediation/Fixes

IBM encourages customers to update their systems promptly.

For IBM Security Verify Directory 10.0 containers refer to the download links listed in the Images link.

Affected Products and Version	Fix Availability
IBM Security Verify Directory 10.0.0	IBM Security Verify Directory, Version 10.0.1 - Download Document
IBM Security Directory Suite 8.0.1	IBM Security Directory Suite 8.0.1 Fixpack 21
IBM Security Directory Server 6.4.0	IBM Security Directory Server 6.4.0 Interim Fix 28

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm security directory suiteeq8.0.1
ibm security verify directoryeq10.0
ibm security directory servereq6.4.0

Name	Operator	Version
ibm security directory suite	eq	8.0.1
ibm security verify directory	eq	10.0
ibm security directory server	eq	6.4.0

0.001 Low

EPSS

Percentile

34.8%

JSON

Related for 313B89F3101D8EA5E5C2B489E75A448ED52F1E161AD0783CA7ACA6BBC66751AE