Vulnerabilities in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2023-20860, CVE-2023-20861). IBM has addressed the vulnerabilities.
CVEID:CVE-2023-20861
**DESCRIPTION:**VMware Tanzu Spring Framework is vulnerable to a denial of service. By sending a specially crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250701 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2023-20860
**DESCRIPTION:**VMware Tanzu Spring Framework could allow a remote attacker to bypass security restrictions, caused by the use of an un-prefixed double wildcard pattern with the mvcRequestMatcher in Spring Security configuration. An attacker could exploit this vulnerability to create a mismatch in pattern matching between Spring Security and Spring MVC.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250679 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Tivoli Application Dependency Discovery Manager | 7.3.0.0 -7.3.0.10 |
In order to fix these vulnerabilities, Spring is to be upgraded to 5.3.26 version. The efix to resolve these vulnerabilities can only be applied to TADDM version 7.3.0.9 or later versions as per below given detailed steps. For customer at older TADDM Fixpack level (i.e., 7.3.0.8 or older), they need to first upgrade their TADDM environment to TADDM 7.3.0.9 level and then follow the step given below.
Detailed steps:
For TADDM 7.3.0.9 & Above, check if there is any previously applied eFixes in their TADDM environment.
For any other TADDM fixpack level (i.e., 7.3.0.8 or older), to apply this bulletin, upgrade to TADDM 7.3.0.9 and then follow procedure as mentioned above for TADDM 7.3.0.9 & above .
Table-1
Fix|
VRMF
| APAR|How to acquire fix
—|—|—|—
efix_spring5.3.26_FP9211123.zip|
7.3.0.9
| None| Download eFix
efix_spring5.3.26_FP10221123.zip|
7.3.0.10
| None| Download eFix
None