Lucene search

IBM582E108723F2B0729343ED1D97E0791DC1CFB579A0F69C00B8D008EFEA47EB2C

HistorySep 19, 2023 - 9:06 a.m.

Security Bulletin: Vulnerability in moment-timezone affects IBM VM Recovery Manager DR GUI

2023-09-1909:06:01

www.ibm.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

70.9%

JSON

Summary

There is vulnerability in moment-timezone opensource package which affects IBM VM Recovery Manager HA and DR GUI.

Vulnerability Details

CVEID:CVE-2022-43441
**DESCRIPTION:**Ghost node-sqlite3 could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the underlying implementation of .ToString() function. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250292 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-31129
**DESCRIPTION:**Moment is vulnerable to a denial of service, caused by inefficient regular expression complexity. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230690 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-24785
**DESCRIPTION:**Moment.js could allow a remote attacker to traverse directories on the system, caused by improper validation of user supplied input. An attacker could send a specially-crafted locale string containing “dot dot” sequences (/…/) to switch arbitrary moment locale.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223451 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
VMRM HA	All
VMRM HA	All

Remediation/Fixes

Steps followed to fix moment-timezone related security vulnerability issue:

VMRM Service Pack fixes are available. The fixes can be downloaded from below location.

URL: https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Cluster%20software&product=ibm/Other+software/IBM+VM+Recovery+Manager+DR+for+Power+Systems&release=1.7.0.0&platform=All&function=all

2.To install both the GUI server and the GUI agent file sets on one of the KSYS nodes, run the following command:

installp -acFXYd fileset_location -V2 [-e filename.log] ksys.ui.server ksys.ui.agent ksys.ui.common

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm vm recovery manager ha for power systemseq1.7.0.0

CPE	Name	Operator	Version
	ibm vm recovery manager ha for power systems	eq	1.7.0.0

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

70.9%

JSON

Related for 582E108723F2B0729343ED1D97E0791DC1CFB579A0F69C00B8D008EFEA47EB2C