Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM6AB4CC9DF83D8DCD50DA14335605A02BAACEADB8D24697A2B78D40B61466CE06
HistoryFeb 09, 2024 - 8:16 p.m.

Security Bulletin: Multiple Security Vulnerabilities were identified in IBM Security Verify Access

2024-02-0920:16:52
www.ibm.com
45
ibm security verify access
vulnerabilities
appliance
docker
access control
storage
privilege escalation
denial of service
remote login

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.093 Low

EPSS

Percentile

94.8%

JSON

Summary

There were multiple Security Vulnerabilities that were reported against IBM Security Verify Access. These have been addressed in IBM Security Verify Access updates.

Vulnerability Details

CVEID:CVE-2023-31003
**DESCRIPTION:**IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.6.1) could allow a local user to obtain root access due to improper access controls. IBM X-Force ID: 254658.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254658 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-31001
**DESCRIPTION:**IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.6.1) temporarily stores sensitive information in files that could be accessed by a local user. IBM X-Force ID: 254653.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254653 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-38267
**DESCRIPTION:**IBM Security Access Manager Appliance (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.6.1) could allow a local user to obtain sensitive configuration information. IBM X-Force ID: 260584.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260584 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-31005
**DESCRIPTION:**IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a local user to escalate their privileges due to an improper security configuration. IBM X-Force ID: 254767.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254767 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-30999
**DESCRIPTION:**IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow an attacker to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 254651.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254651 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-43016
**DESCRIPTION:**IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote user to log into the server due to a user account with an empty password. IBM X-Force ID: 266154.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266154 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2023-32327
**DESCRIPTION:**IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 254783.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254783 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

CVEID:CVE-2023-32329
**DESCRIPTION:**IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a user to download files from an incorrect repository due to improper file validation. IBM X-Force ID: 254972.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254972 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-31004
**DESCRIPTION:**IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote attacker to gain access to the underlying system using man in the middle techniques. IBM X-Force ID: 254765.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254765 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVEID:CVE-2023-31006
**DESCRIPTION:**IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to a denial of service attacks on the DSC server. IBM X-Force ID: 254776.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254776 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-32328
**DESCRIPTION:**IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure protocols in some instances that could allow an attacker on the network to take control of the server. IBM X-Force Id: 254957.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254957 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-32330
**DESCRIPTION:**IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure calls that could allow an attacker on the network to take control of the server. IBM X-Force ID: 254977.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254977 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-43017
**DESCRIPTION:**IBM Security Verify Access 10.0.0.0 through 10.0.6.1 could allow a privileged user to install a configuration file that could allow remote access. IBM X-Force ID: 266155.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266155 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

CVEID:CVE-2022-2068
**DESCRIPTION:**OpenSSL could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input by the c_rehash script. By sending a specially-crafted request using shell metacharacters, an attacker could exploit this vulnerability to execute arbitrary commands with the privileges of the script on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226018 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2023-31002
**DESCRIPTION:**IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 temporarily stores sensitive information in files that could be accessed by a local user. IBM X-Force ID: 254657.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254657 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-38369
**DESCRIPTION:**IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 does not require that docker images should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 261196.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261196 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Security Verify Access Docker 10.0.0.0 - 10.0.6.1
IBM Security Verify Access Appliance 10.0.0.0 - 10.0.6.1

Remediation/Fixes

IBM encourages customers to update their systems promptly.

IBM Security Verify Access (Docker Container)

Where [tag] is the latest published version and can be confirmed here.

For the ISAM/ISVA appliances

  • Obtain the latest version by obtaining the fix at the location shown below:

Affected Products and Versions

|

Fix availability

—|—

IBM Security Verify Access 10.0.0.0

|

10.0.7-ISS-ISVA-FP0000

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsecurity_verify_accessMatch10.0.0.0
OR
ibmsecurity_verify_accessMatch10.0.6.1

Related

nvd 16
prion 16
cnvd 6
cvelist 16
cve 16
vulnrichment 1
openvas 30
osv 7
ubuntu 2
ibm 12
ics 1
rocky 2
debian 1
nodejsblog 2
altlinux 4
veracode 1
cbl_mariner 2
fedora 2
photon 3
cloudfoundry 1
freebsd 1
mageia 1
redhat 2
broadcom 1
nessus 36
amazon 3
openssl 1
ubuntucve 1
cloudlinux 1
suse 3
f5 1
redhatcve 1
debiancve 1
slackware 2
alpinelinux 1
oraclelinux 1
aix 1
nvd
nvd
CVE-2023-32328
2024-02-07 17:15:08
CVE-2023-32327
2024-02-03 01:15:08
CVE-2023-31004
2024-02-03 01:15:08
prion
prion
Design/Logic Flaw
2024-02-03 01:15:00
Code injection
2024-02-07 17:15:00
Code injection
2024-02-03 01:15:00
cnvd
cnvd
IBM Security Verify Access Trust Management Issues Vulnerability
2024-02-19 00:00:00
IBM Security Access Manager Data Forgery Issue Vulnerability
2024-02-05 00:00:00
IBM Security Verify Access Information Disclosure Vulnerability (CNVD-2024-09176)
2024-02-19 00:00:00
cvelist
cvelist
CVE-2023-38267 IBM Security Access Manager Appliance information disclosure
2024-01-11 02:48:49
CVE-2023-32328 IBM Security Verify Access information disclosure
2024-02-07 16:07:06
CVE-2023-32327 IBM Security Access Manager Container XML external entity injection
2024-02-03 00:57:32
cve
cve
CVE-2023-32329
2024-02-03 01:15:08
CVE-2023-38267
2024-01-11 03:15:09
CVE-2023-30999
2024-02-03 01:15:07
vulnrichment
vulnrichment
CVE-2023-43016 IBM Security Access Manager Container unauthorized access
2024-02-03 00:55:55
openvas
openvas
Ubuntu: Security Advisory (USN-5488-1)
2022-06-22 00:00:00
Fedora: Security Advisory for openssl1.1 (FEDORA-2022-3b7d0abd0b)
2022-07-07 00:00:00
Mageia: Security Advisory (MGASA-2022-0246)
2022-07-01 00:00:00
osv
osv
heap buffer overflow in OpenSSL version 3.0.4
2022-06-28 02:20:38
openssl, openssl1.0 vulnerability
2022-06-21 14:36:21
heap buffer overflow in OpenSSL version 3.0.4
2022-06-28 02:20:38
ubuntu
ubuntu
OpenSSL vulnerability
2022-07-06 00:00:00
OpenSSL vulnerability
2022-06-21 00:00:00
ibm
ibm
Security Bulletin: IBM Aspera Orchestrator affected by OpenSSL vulnerability (CVE-2022-2068)
2023-02-02 17:25:41
Security Bulletin: OpenSSL vulnerability affects App Connect professional v7.5.4.
2022-07-06 04:56:24
Security Bulletin: IBM Sterling Connect:Direct for UNIX Container is vulnerable to execute arbitrary commands due to OpenSSL (CVE-2022-2068)
2022-09-14 14:09:15
ics
ics
Mitsubishi Electric GT SoftGOT2000
2022-11-15 12:00:00
rocky
rocky
openssl security and bug fix update
2023-01-26 21:50:01
openssl security update
2022-08-02 07:00:02
debian
debian
[SECURITY] [DSA 5169-1] openssl security update
2022-06-26 18:26:57
nodejsblog
nodejsblog
OpenSSL update assessment, and Node.js project plans
2022-06-21 00:00:00
OpenSSL update assessment, and Node.js project plans
2022-06-21 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package openssl1.1 version 1.1.1q-alt1
2022-07-08 00:00:00
Security fix for the ALT Linux 9 package openssl1.1 version 1.1.1q-alt1
2022-07-05 00:00:00
Security fix for the ALT Linux 9 package openssl1.1 version 1.1.1p-alt1
2022-06-22 00:00:00
veracode
veracode
Command Injection
2022-06-22 12:42:34
cbl_mariner
cbl_mariner
CVE-2022-2068 affecting package openssl for versions less than 1.1.1k-17
2022-07-01 21:02:21
CVE-2022-2068 affecting package openssl 1.1.1k-16
2022-07-14 20:59:56
fedora
fedora
[SECURITY] Fedora 36 Update: openssl1.1-1.1.1p-1.fc36
2022-07-06 01:38:37
[SECURITY] Fedora 35 Update: openssl-1.1.1q-1.fc35
2022-07-23 02:27:30
photon
photon
Moderate Photon OS Security Update - PHSA-2022-0408
2022-06-22 00:00:00
Moderate Photon OS Security Update - PHSA-2022-0490
2022-06-23 00:00:00
Critical Photon OS Security Update - PHSA-2022-3.0-0408
2022-06-22 00:00:00
cloudfoundry
cloudfoundry
USN-5488-1: OpenSSL vulnerability | Cloud Foundry
2022-07-28 00:00:00
freebsd
freebsd
OpenSSL -- Command injection vulnerability
2022-06-21 00:00:00
mageia
mageia
Updated openssl packages fix security vulnerability
2022-07-01 00:31:09
redhat
redhat
(RHSA-2022:8913) Moderate: Red Hat JBoss Web Server 5.7.1 release and security update
2022-12-12 12:28:19
(RHSA-2022:8917) Moderate: Red Hat JBoss Web Server 5.7.1 release and security update
2022-12-12 12:20:51
broadcom
broadcom
openssl file names of certificates being hashed were possibly passed to a command executed through the shell
2023-08-01 00:00:00
nessus
nessus
SUSE SLES12 Security Update : openssl (SUSE-SU-2022:2181-1)
2022-06-27 00:00:00
SUSE SLES15 Security Update : openssl (SUSE-SU-2022:2179-1)
2022-06-25 00:00:00
Amazon Linux 2 : openssl (ALAS-2022-1831)
2022-08-08 00:00:00
amazon
amazon
Medium: openssl
2022-07-28 21:55:00
Medium: openssl11
2022-07-28 21:55:00
Medium: openssl
2022-07-28 20:38:00
openssl
openssl
Vulnerability in OpenSSL CVE-2022-2068
2022-06-21 00:00:00
ubuntucve
ubuntucve
CVE-2022-2068
2022-06-21 00:00:00
cloudlinux
cloudlinux
Fixed CVEs in openssl: CVE-2022-1292, CVE-2022-2068
2022-07-14 16:53:26
suse
suse
Security update for openssl-1_1 (moderate)
2022-09-01 00:00:00
Security update for openssl-1_0_0 (moderate)
2022-07-07 00:00:00
Security update for openssl-1_1 (moderate)
2022-07-04 00:00:00
f5
f5
K21600298 : OpenSSL vulnerabilities CVE-2022-1292 and CVE-2022-2068
2022-08-05 00:00:00
redhatcve
redhatcve
CVE-2022-2068
2022-06-22 06:36:12
debiancve
debiancve
CVE-2022-2068
2022-06-21 15:15:09
slackware
slackware
[slackware-security] openssl
2022-06-23 05:32:23
[slackware-security] Slackware 14.2 openssl
2022-06-28 19:28:45
alpinelinux
alpinelinux
CVE-2022-2068
2022-06-21 15:15:09
oraclelinux
oraclelinux
openssl security update
2022-08-05 00:00:00
aix
aix
AIX is vulnerable to arbitrary command execution due to OpenSSL
2022-08-17 16:39:03

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.093 Low

EPSS

Percentile

94.8%

JSON
Related for 6AB4CC9DF83D8DCD50DA14335605A02BAACEADB8D24697A2B78D40B61466CE06
nvd16prion16cnvd6cvelist16cve16vulnrichment1openvas30osv7ubuntu2ibm12ics1rocky2debian1nodejsblog2altlinux4veracode1cbl_mariner2fedora2photon3cloudfoundry1freebsd1mageia1redhat2broadcom1nessus36amazon3openssl1ubuntucve1cloudlinux1suse3f51redhatcve1debiancve1slackware2alpinelinux1oraclelinux1aix1