Lucene search

K
ibmIBM3E78E1B23D7F053060942570D321197D47C204E00FB10FCB8731A46680586E38
HistoryNov 21, 2023 - 3:12 a.m.

Security Bulletin: IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty.

2023-11-2103:12:00
www.ibm.com
12
ibm sterling connect:direct browser ui
jetty server
cve-2023-36478
cve-2023-44487
denial of service
http/2 protocol

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.813

Percentile

98.4%

Summary

IBM Sterling Connect:Direct Browser User Interface uses Jetty server.

Vulnerability Details

CVEID:CVE-2023-36478
**DESCRIPTION:**Eclipse Jetty is vulnerable to a denial of service, caused by an integer overflow and buffer allocation in MetaDataBuilder.checkSize. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268413 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-44487
**DESCRIPTION:**Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. By sending numerous HTTP/2 requests and RST_STREAM frames over multiple streams, a remote attacker could exploit this vulnerability to cause a denial of service due to server resource consumption.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268044 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Sterling Connect Direct Browser User Interface 1.5.0.2
IBM Sterling Connect Direct Browser User Interface 1.4.1.1

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product|Version|**Fix/Remediation
**
—|—|—
IBM Sterling Connect:Direct Browser User Interface| 1.4.1.1, 1.5.0.2| Apply 1.5.0.2 iFix-39, available in cumulative iFix039 on Fix Central

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmibm_sterling_connect\Matchdirect_browser_user_interface1.5.0.2

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.813

Percentile

98.4%