Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM44DD02B13AF538FD2EF395BCF6AC25F9B070F354F407256441422E3CEA19CD06
HistoryJun 19, 2024 - 10:32 a.m.

Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to issues due to Apache Commons Configuration and Fasterxml jackson-databind

2024-06-1910:32:55
www.ibm.com
9
ibm sterling connect:direct
threeten backport
apache commons configuration
jjwt
fasterxml jackson-databind
windows
vulnerabilities
cves
denial of service
remote attack
arbitrary code
out-of-bounds write
integer overflow
stack-based overflow

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

AI Score

10

Confidence

High

EPSS

0

Percentile

15.5%

JSON

Summary

There are vulnerabilities in Apache Commons Configuration and Fasterxml jackson-databind used by Install Agent, Integrated File Agent and Integrated Web Services in IBM Sterling Connect:Direct for Microsoft Windows. IBM Sterling Connect:Direct for Microsoft Windows has addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2024-29133
**DESCRIPTION:**Apache Commons Configuration could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286005 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2024-29131
**DESCRIPTION:**Apache Commons Configuration could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286004 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2023-35116
**DESCRIPTION:**Fasterxml jackson-databind is vulnerable to a denial of service, caused by a stack-based overflow. By persuading a victim to open a specially crafted content, a remote attacker could exploit this vulnerability to cause a denial of service. Note: The vendor disputes the vulnerability because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258157 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Sterling Connect:Direct for Microsoft Windows 6.0.0.0 - 6.0.0.4_iFix087
IBM Sterling Connect:Direct for Microsoft Windows 6.1.0.0 - 6.1.0.2_iFix086
IBM Sterling Connect:Direct for Microsoft Windows 6.2.0.0 - 6.2.0.6_iFix019
IBM Sterling Connect:Direct for Microsoft Windows 6.3.0.0 - 6.3.0.3_iFix002

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading …

Affected Product(s) Version(s) Remediation / Fix
IBM Sterling Connect:Direct for Microsoft Windows 6.0.0.0 - 6.0.0.4_iFix087 Apply 6.0.0.4_iFix088, available on Fix Central
IBM Sterling Connect:Direct for Microsoft Windows 6.1.0.0 - 6.1.0.2_iFix086 Apply 6.1.0.2_iFix087, available on Fix Central
IBM Sterling Connect:Direct for Microsoft Windows 6.2.0.0 - 6.2.0.6_iFix019 Apply 6.2.0.6_iFix020, available on Fix Central
IBM Sterling Connect:Direct for Microsoft Windows 6.3.0.0 - 6.3.0.3_iFix002 Apply 6.3.0.3_iFix004, available on Fix Central

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsterling_connect\Matchdirect_for_microsoft_windows6.0.0
OR
ibmsterling_connect\Matchdirect_for_microsoft_windows6.1.0
OR
ibmsterling_connect\Matchdirect_for_microsoft_windows6.2.0
OR
ibmsterling_connect\Matchdirect_for_microsoft_windows6.3.0
VendorProductVersionCPE
ibmsterling_connect\direct_for_microsoft_windowscpe:2.3:a:ibm:sterling_connect\:direct_for_microsoft_windows:6.0.0:*:*:*:*:*:*:*
ibmsterling_connect\direct_for_microsoft_windowscpe:2.3:a:ibm:sterling_connect\:direct_for_microsoft_windows:6.1.0:*:*:*:*:*:*:*
ibmsterling_connect\direct_for_microsoft_windowscpe:2.3:a:ibm:sterling_connect\:direct_for_microsoft_windows:6.2.0:*:*:*:*:*:*:*
ibmsterling_connect\direct_for_microsoft_windowscpe:2.3:a:ibm:sterling_connect\:direct_for_microsoft_windows:6.3.0:*:*:*:*:*:*:*

Related

ibm 45
nessus 18
osv 17
openvas 6
fedora 2
nvd 3
debiancve 3
redhatcve 3
veracode 2
cgr 2
wolfi 2
cnvd 2
atlassian 2
cvelist 3
redhat 9
github 2
cve 3
ubuntucve 1
vulnrichment 2
prion 1
oracle 3
ibm
ibm
Security Bulletin: Multiple vulnerabilities reported in YAJSW service shipped in IBM WebSphere eXtreme Scale Liberty Deployment
2024-05-02 02:53:11
Security Bulletin: Apache Commons Configuration vulnerability has been identified in Apache Solr shipped with IBM Operations Analytics - Log Analysis (CVE-2024-29131,CVE-2024-29133)
2024-09-04 15:22:47
Security Bulletin: IBM® Db2® federated server is affected by vulnerabilities in the open source commons-configuration2 library. (CVE-2024-29131, CVE-2024-29133)
2024-06-11 17:39:14
nessus
nessus
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : apache-commons-configuration (SUSE-SU-2024:1377-1)
2024-04-23 00:00:00
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : apache-commons-configuration2 (SUSE-SU-2024:1365-1)
2024-04-23 00:00:00
IBM WebSphere eXtreme Scale 8.6.1.0 < 8.6.1.6 (7150045)
2024-06-27 00:00:00
osv
osv
apache-commons-configuration2-2.10.1-1.1 on GA media
2024-06-15 00:00:00
Apache Commons Configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree
2024-03-21 09:31:14
CGA-grw7-f4vj-7jvv
2024-06-06 12:27:32
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2024:1365-1)
2024-05-07 00:00:00
openSUSE: Security Advisory for apache (SUSE-SU-2024:1377-1)
2024-04-25 00:00:00
Apache Commons Configuration 2.0.x < 2.10.1 Multiple Vulnerabilities
2024-03-21 00:00:00
fedora
fedora
[SECURITY] Fedora 39 Update: apache-commons-configuration-2.10.1-1.fc39
2024-03-30 01:10:55
[SECURITY] Fedora 40 Update: apache-commons-configuration-2.10.1-1.fc40
2024-03-29 04:11:00
nvd
nvd
CVE-2024-29133
2024-03-21 09:15:07
CVE-2024-29131
2024-03-21 09:15:07
CVE-2023-35116
2023-06-14 14:15:10
debiancve
debiancve
CVE-2024-29131
2024-03-21 09:15:07
CVE-2024-29133
2024-03-21 09:15:07
CVE-2023-35116
2023-06-14 14:15:00
redhatcve
redhatcve
CVE-2024-29131
2024-03-21 12:16:07
CVE-2024-29133
2024-03-21 12:16:00
CVE-2023-35116
2023-08-22 17:50:09
veracode
veracode
Out-of-Bounds Write
2024-03-22 06:49:33
Out-of-Bounds Write
2024-03-22 05:11:58
cgr
cgr
CVE-2024-29131 vulnerabilities
2024-05-19 03:07:16
CVE-2024-29133 vulnerabilities
2024-05-19 03:07:16
wolfi
wolfi
CVE-2024-29131 vulnerabilities
2024-09-27 21:56:47
CVE-2024-29133 vulnerabilities
2024-09-27 21:56:47
cnvd
cnvd
Apache Commons Configuration Out-of-Bounds Write Vulnerability
2024-03-26 00:00:00
Apache Commons Configuration Out-of-Bounds Write Vulnerability (CNVD-2024-16109)
2024-03-26 00:00:00
atlassian
atlassian
DoS (Denial of Service) org.apache.commons:commons-configuration2 Dependency in Confluence Data Center and Server
2024-06-12 21:12:33
DoS (Denial of Service) org.apache.commons:commons-configuration2 Dependency in Confluence Data Center and Server
2024-06-12 21:13:20
cvelist
cvelist
CVE-2024-29131 Apache Commons Configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()
2024-03-21 09:07:13
CVE-2024-29133 Apache Commons Configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree
2024-03-21 09:05:47
CVE-2023-35116
2023-06-14 00:00:00
redhat
redhat
(RHSA-2024:3920) Important: Migration Toolkit for Runtimes security, bug fix and enhancement update
2024-06-13 11:01:17
(RHSA-2024:6893) Moderate: Red Hat AMQ Broker 7.12.0 release and security update
2024-09-19 18:10:49
(RHSA-2024:2945) Important: Red Hat AMQ Broker 7.12.0 release and security update
2024-05-21 14:17:10
github
github
Apache Commons Configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree
2024-03-21 09:31:14
Apache Commons Configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()
2024-03-21 09:31:14
cve
cve
CVE-2024-29133
2024-03-21 09:15:07
CVE-2024-29131
2024-03-21 09:15:07
CVE-2023-35116
2023-06-14 14:15:10
ubuntucve
ubuntucve
CVE-2023-35116
2023-06-14 00:00:00
vulnrichment
vulnrichment
CVE-2024-29133 Apache Commons Configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree
2024-03-21 09:05:47
CVE-2024-29131 Apache Commons Configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()
2024-03-21 09:07:13
prion
prion
Code injection
2023-06-14 14:15:00
oracle
oracle
Oracle Critical Patch Update Advisory - July 2024
2024-07-16 00:00:00
Oracle Critical Patch Update Advisory - October 2023
2023-10-17 00:00:00
Oracle Critical Patch Update Advisory - April 2024
2024-04-16 00:00:00

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

AI Score

10

Confidence

High

EPSS

0

Percentile

15.5%

JSON
Related for 44DD02B13AF538FD2EF395BCF6AC25F9B070F354F407256441422E3CEA19CD06
ibm45nessus18osv17openvas6fedora2nvd3debiancve3redhatcve3veracode2cgr2wolfi2cnvd2atlassian2cvelist3redhat9github2cve3ubuntucve1vulnrichment2prion1oracle3