Security Bulletin: IBM Security Verify Access is vulnerable to a specially crafted HTTP request

Summary

IBM Security Verify Access Appliance/Container and IBM Application Gateway are vulnerable to information disclosure or denial of service due to a specially crafted HTTP request. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2024-28787
**DESCRIPTION:**IBM Security Verify could allow a remote attacker to obtain highly sensitive private information or cause a denial of service using a specially crafted HTTP request.
CVSS Base score: 8.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286584 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

IBM encourages customers to update their systems promptly.

IBM Security Verify Access Container

• Obtain the latest version of the container by running the command “docker pull icr.io/isva/verify-access:[tag]”

Where [tag] is the latest published version and can be confirmed here.

For the IBM Security Verify Access appliance

• Obtain the latest version by obtaining the fix at the location shown below:

Affected Products and Versions

|

Fix availability

—|—

IBM Security Verify Access Appliance 10.0.0.0

|

10.0.7-ISS-ISVA-IF0001

For the IBM Application Gateway Container

• Obtain the latest version of the container by running the command “docker pull icr.io/ibmappgateway/ibm-application-gateway:[tag]”

Where [tag] is the latest published version and can be confirmed here.

Workarounds and Mitigations

None