Lucene search

K
ibmIBM3D6899F34E2CB79EEDDC7498564CA36313B500911C69D94EF6959C1179B6F4FC
HistorySep 11, 2023 - 2:15 p.m.

Security Bulletin: Due to use of, IBM Application Performance Management is vulnerable to a local authenticated attacker to obtain sensitive information.

2023-09-1114:15:49
www.ibm.com
18
ibm
application performance
local authenticated attacker
sensitive information
google guava
file creation
filebackedoutputstream
vulnerability
ibm cloud apm
patch
remediation
security bulletin

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

0.0004 Low

EPSS

Percentile

15.4%

Summary

Google Guava is used within IBM Application Performance Management. CVE-2023-2976.

Vulnerability Details

CVEID:CVE-2023-2976
**DESCRIPTION:**Google Guava could allow a local authenticated attacker to obtain sensitive information, caused by a flaw with using Javaโ€™s default temporary directory for file creation in FileBackedOutputStream. By sending a specially crafted request, an attacker could exploit this vulnerability to access the files in the default Java temporary directory, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258199 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud APM, Base Private 8.1.4
IBM Cloud APM, Advanced Private 8.1.4

Remediation/Fixes

IBM Cloud Application Performance Management, Base Private

IBM Cloud Application Performance Management, Advanced Private| 8.1.4|

The vulnerability can be remediated by applying the following 8.1.4.0-IBM-APM-SERVER-IF0014 or later server patch to the system where the Cloud APM server is installed: <https://www.ibm.com/support/pages/node/7028410&gt;

โ€”|โ€”|โ€”

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmapplication_performance_managementMatch8.1.3
OR
ibmapplication_performance_managementMatch8.1.4

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

0.0004 Low

EPSS

Percentile

15.4%