IBM5C3DC3B25D93BC1B713C4AA8F706556DA659C8265BE700EFB770C6F638A9B102Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to IBM Java SDK (Tech Edition) vulnerabilities
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
Low
Summary
IBM Sterling Partner Engagement Manager 6.2.3.1, 6.1.2.10, and 6.2.0.8 address IBM Java SDK (Tech Edition) CPU vulnerabilities attached to this Security Bulletin.
Vulnerability Details
CVEID:CVE-2023-22045
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low confidentiality impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261047 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2023-22049
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow a remote attacker to cause low integrity impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| PEM | 6.2.1 |
| PEM | 6.2.2 |
| PEM | 6.1.2 |
| PEM | 6.2.3 |
| PEM | 6.2.0 |
Remediation/Fixes
| Product | Version(s) | Remediation/Fix/Instructions |
|---|---|---|
| IBM Sterling Partner Engagement Manager Essentials Edition | 6.2.3.1, 6.1.2.10, 6.2.0.8 | Download 6.2.3.1 and follow installation instructions |
| IBM Sterling Partner Engagement Manager Standard Edition | 6.2.3.1, 6.1.2.10, 6.2.0.8 | Download 6.2.3.1 and follow installation instructions |
Workarounds and Mitigations
There are some temporary workarounds/mitigations that can be performed (see Oracle’s Security Alert for more information), but they are not recommended as long-term solutions to this problem. Upgrading to the latest Partner Engagement Manager in your release is the only viable long-term solution.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | sterling_partner_engagement_manager | 6.2.2 | cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.2:*:*:*:*:*:*:* |
| ibm | sterling_partner_engagement_manager | 62.0 | cpe:2.3:a:ibm:sterling_partner_engagement_manager:62.0:*:*:*:*:*:*:* |
| ibm | sterling_partner_engagement_manager | 6.1.2 | cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.1.2:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
Low