Lucene search

IBM421FF27B439FF6AD35BBE3285335E7A1B4A1774838F66CC1D1AD878A11B35643

HistoryMar 25, 2024 - 5:53 p.m.

Security Bulletin: Multiple vulnerabilities in IBM's 4769 Developer's Toolkit. CVE-2023-33855, CVE-2023-47150

2024-03-2517:53:21

www.ibm.com

ibm

4769 dev toolkit

vulnerabilities

common cryptographic architecture

cca

denial of service

sensitive information

rsa operations

aes operations

upgrade

toolkit provider

custom firmware images

udxes

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.5

Confidence

Low

EPSS

Percentile

9.0%

JSON

Summary

IBM Common Cryptographic Architecture (CCA) could allow a remote user to cause a denial of service (CVE-2023-47150) or to obtain sensitive information (CVE-2023-33855) as described in the vulnerability details section. IBM customers who use the IBM 4769 Developer’s Toolkit to create CCA User-Defined Extensions (UDXes) may be affected by these vulnerabilities.

Vulnerability Details

CVEID:CVE-2023-47150
**DESCRIPTION:**IBM Common Cryptographic Architecture (CCA) could allow a remote user to cause a denial of service due to incorrect data handling for certain types of AES operations.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270602 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-33855
**DESCRIPTION:**Under certain conditions, RSA operations performed by IBM Common Cryptographic Architecture (CCA) may exhibit non-constant-time behavior. This could allow a remote attacker to obtain sensitive information using a timing-based attack.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257676 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM 4769 Developers Toolkit	7.0.0 - 7.5.36

Remediation/Fixes

IBM strongly recommends addressing the vulnerability by upgrading to the latest toolkit

Product	Fixed Version
IBM 4769 Developers Toolkit	7.5.37 or later

Customers should contact their toolkit provider to obtain the latest toolkit.

Workarounds and Mitigations

IBM recommends that all toolkit customers upgrade to the latest version of the IBM 4769 Developer’s Toolkit.

The listed vulnerabilities affect certain types of RSA (CVE-2023-33855) and AES (CVE-2023-47150) operations performed by the IBM Common Cryptographic Architecture (CCA). An IBM 4769 Developer’s Toolkit customer who creates custom firmware images that are CCA User-Defined Extensions (UDXes) might be affected. However, an IBM 4769 Developer’s Toolkit customer who does not create UDXes would not be affected.

Affected configurations

Vulners

Node

ibmcommon_cryptographic_architectureMatch7.mtm_for_4769

ibmcommon_cryptographic_architectureMatch4769mtm_for_4769

VendorProductVersionCPE
ibmcommon_cryptographic_architecture7.cpe:2.3:a:ibm:common_cryptographic_architecture:7.:*:*:*:mtm_for_4769:*:*:*
ibmcommon_cryptographic_architecture4769cpe:2.3:a:ibm:common_cryptographic_architecture:4769:*:*:*:mtm_for_4769:*:*:*

Vendor	Product	Version	CPE
ibm	common_cryptographic_architecture	7.	cpe:2.3:a:ibm:common_cryptographic_architecture:7.::::mtm_for_4769:::
ibm	common_cryptographic_architecture	4769	cpe:2.3:a:ibm:common_cryptographic_architecture:4769::::mtm_for_4769:::

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.5

Confidence

Low

EPSS

Percentile

9.0%

JSON

Related for 421FF27B439FF6AD35BBE3285335E7A1B4A1774838F66CC1D1AD878A11B35643