Lucene search

K
ibmIBM6CB5A8B6603ADE62689E4E6D44B058406FDA9A6EC2CAE4AE08B966F700EFA797
HistoryFeb 02, 2024 - 3:59 a.m.

Security Bulletin: IBM Tivoli Business Service Manager is vulnerable to remote attack due to Apache Santuario (CVE-2023-44483)

2024-02-0203:59:33
www.ibm.com
11
apache santuario
sensitive information disclosure
private key storage
cve-2023-44483
ibm tivoli business service manager
version 6.2.0
security bulletin
upgrade
ij49179
remote attack

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

38.7%

Summary

Apache Santuario is shipped with IBM Tivoli Business Service Manager as part of the web services security library. Information about a security vulnerability affecting Apache Santuario has been published in a security bulletin.

Vulnerability Details

**CVEID:**CVE-2023-44483 DESCRIPTION: Apache Santuario could allow a remote authenticated attacker to obtain sensitive information, caused by the storage of a private key in the log files when using the JSR 105 API. By gaining access to the log files, an attacker could exploit this vulnerability to obtain the private key information, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269153 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Tivoli Business Service Manager 6.2.0

Remediation/Fixes

Product VRMF APAR Remediation
IBM Tivoli Business Service Manager 6.2.0.0 - 6.2.0.5 6.2.0.5 IF4 IJ49179 Upgrade to IBM Tivoli Business Service Manager 6.2.0.5 IF4

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmtivoli_business_service_managerMatch6.2.0
VendorProductVersionCPE
ibmtivoli_business_service_manager6.2.0cpe:2.3:a:ibm:tivoli_business_service_manager:6.2.0:*:*:*:*:*:*:*

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

38.7%