Lucene search

K
ibmIBM5630DBFF6CB5A216B240FFCE785482F8F5BB8B898323EE139C8F3F91C87A21EC
HistoryApr 24, 2024 - 4:46 a.m.

Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to sensitive information exposure due to PostgreSQL (CVE-2023-5868)

2024-04-2404:46:33
www.ibm.com
9
ibm sterling connect:direct
postgresql vulnerability
sensitive information exposure
cve-2023-5868
remediation
version 6.0
version 6.1
version 6.2
version 6.3

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

6.2 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.3%

Summary

IBM Connect:Direct Web Services uses PostgreSQL. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2023-5868
**DESCRIPTION:**PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when perform certain aggregate function calls. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain bytes of server memory from the end of the “unknown”-type value to the next zero byte, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271219 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Sterling Connect:Direct Web Services 6.3.0
IBM Sterling Connect:Direct Web Services 6.1.0
IBM Sterling Connect:Direct Web Services 6.2.0
IBM Sterling Connect:Direct Web Services 6.0

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading …

Product(s)|Version(s)|**Remediation
**
—|—|—
IBM Sterling Connect:Direct Web Services| 6.1| Apply 6.1.0.24, available on Fix Central
IBM Sterling Connect:Direct Web Services| 6.2| Apply 6.2.0.23, available on Fix Central
IBM Sterling Connect:Direct Web Services| 6.3| Apply 6.3.0.7, available on Fix Central
IBM Sterling Connect:Direct Web Services| 6.0| Upgrade to 6.1.0.24, 6.2.0.23, or 6.3.0.7

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsterling_connect\Matchdirect6.1

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

6.2 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.3%