Security Bulletin: Multiple vulnerabilities in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2023-20860, CVE-2023-20861).

Summary

Vulnerabilities in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2023-20860, CVE-2023-20861). IBM has addressed the vulnerabilities.

Vulnerability Details

CVEID:CVE-2023-20861
**DESCRIPTION:**VMware Tanzu Spring Framework is vulnerable to a denial of service. By sending a specially crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250701 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-20860
**DESCRIPTION:**VMware Tanzu Spring Framework could allow a remote attacker to bypass security restrictions, caused by the use of an un-prefixed double wildcard pattern with the mvcRequestMatcher in Spring Security configuration. An attacker could exploit this vulnerability to create a mismatch in pattern matching between Spring Security and Spring MVC.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250679 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

In order to fix these vulnerabilities, Spring is to be upgraded to 5.3.26 version. The efix to resolve these vulnerabilities can only be applied to TADDM version 7.3.0.9 or later versions as per below given detailed steps. For customer at older TADDM Fixpack level (i.e., 7.3.0.8 or older), they need to first upgrade their TADDM environment to TADDM 7.3.0.9 level and then follow the step given below.

Detailed steps:

For TADDM 7.3.0.9 & Above, check if there is any previously applied eFixes in their TADDM environment.

1. If there is no prior efixes(ls -rlt etc/efix*) applied in their TADDM, then download the efix given in Table-1and apply the efix.
2. If there are existing efixes on TADDM (ls -rlt etc/efix*), please contact IBM Support and open a case for a custom version of the eFix as the efix involves TADDM code changes. Include the current eFix level (ls -rlt etc/efix*), TADDM version and a link to this bulletin in the Support Case

For any other TADDM fixpack level (i.e., 7.3.0.8 or older), to apply this bulletin, upgrade to TADDM 7.3.0.9 and then follow procedure as mentioned above for TADDM 7.3.0.9 & above .

Table-1

Fix|

VRMF

| APAR|How to acquire fix
—|—|—|—
efix_spring5.3.26_FP9211123.zip|

7.3.0.9

| None| Download eFix
efix_spring5.3.26_FP10221123.zip|

7.3.0.10

| None| Download eFix

Workarounds and Mitigations

None