Lucene search

IBM73A7A1FF7B10135CF6A8C391B9DF40C1C7C0055B7592520604D6C4096600BCDD

HistoryFeb 07, 2024 - 10:44 a.m.

Security Bulletin: IBM Sterling Control Center vulnerable to denial of service due to Spring Boot and remote code execution due to Spring Framework

2024-02-0710:44:48

www.ibm.com

ibm sterling control center

vulnerability

denial of service

spring boot

remote code execution

spring framework

cve-2023-20883

cve-2016-1000027

containerized image

vmware tanzu

pivotal spring framework

deserialization flaw

unsafe deserialization

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.024 Low

EPSS

Percentile

90.1%

JSON

Summary

IBM Sterling Control Center containerized image uses VMWare Tanzu Spring Boot and Pivotal Spring Framework. This bulletin identifies the steps to take to address the vulnerabilities.

Vulnerability Details

CVEID:CVE-2023-20883
**DESCRIPTION:**VMware Tanzu Spring Boot is vulnerable to a denial of service, caused by a flaw when Spring MVC is used together with a reverse proxy cache. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255809 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2016-1000027
**DESCRIPTION:**Pivota Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw in the library. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174367 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Sterling Control Center	6.3.0.0

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading …

Product

Version

Remediation

—|—|—

IBM Sterling Control Center

6.3.0.0 GA through iFix03

6.3.0.0 iFix04 Fix Central - 6.3.0.0

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmcontrol_centerMatch6.3.0.0

CPENameOperatorVersion
ibm control centereq6.3.0.0

CPE	Name	Operator	Version
	ibm control center	eq	6.3.0.0

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.024 Low

EPSS

Percentile

90.1%

JSON

Related for 73A7A1FF7B10135CF6A8C391B9DF40C1C7C0055B7592520604D6C4096600BCDD