Lucene search

K
ibmIBM58B98F68E27EAC66CA1E4B8FB209AB0974C5FFAB111F00F32CC8BB84E972F4B7
HistoryFeb 19, 2024 - 8:15 a.m.

Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to security bypass due to PostgreSQL (CVE-2023-39418)

2024-02-1908:15:50
www.ibm.com
8
ibm sterling connect:direct
postgresql
security bypass
vulnerability
upgrade
fix central

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

6.3 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

36.3%

Summary

IBM Sterling Connect:Direct Web Service uses PostgreSQL. This bulletin identifies the steps to take to address the vulnerabilities.

Vulnerability Details

CVEID:CVE-2023-39418
**DESCRIPTION:**PostgreSQL could allow a remote authenticated attacker to bypass security restrictions, caused by failing to enforce UPDATE or SELECT row security policies in MERGE command. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/263358 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Sterling Connect:Direct Web Services 6.3.0
IBM Sterling Connect:Direct Web Services 6.1.0
IBM Sterling Connect:Direct Web Services 6.2.0
IBM Connect:Direct Web Services 6.0

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading …

Product(s)|Version(s)|**Remediation
**
—|—|—
IBM Sterling Connect:Direct Web Services| 6.1| Apply 6.1.0.23, available on Fix Central
IBM Sterling Connect:Direct Web Services| 6.2| Apply 6.2.0.22, available on Fix Central
IBM Sterling Connect:Direct Web Services| 6.3| Apply 6.3.0.6, available on Fix Central
IBM Sterling Connect:Direct Web Services| 6.0| Upgrade to 6.1.0.23, 6.2.0.22, or 6.3.0.6

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsterling_connect\Matchdirect6.1

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

6.3 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

36.3%