Lucene search

IBM73B022FA4673D934779E290883DA109DD10A0A674E606AD5067E34CAAB4BA5B6

HistoryJul 14, 2023 - 11:15 p.m.

Security Bulletin: IBM i is vulnerable to an attacker executing CL commands due to an exploitation of DDM architecture (CVE-2023-30990)

2023-07-1423:15:41

www.ibm.com

ibm i

ddm architecture

vulnerability

fix

7.2

7.3

7.4

7.5

ptf

cl commands

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

54.1%

JSON

Summary

IBM i is vulnerable to a remote attacker executing CL commands due to an exploitation of DDM architecture as described in the vulnerability details section. IBM i has addressed the vulnerability in the DDM architecture as described in the remediation/fixes section.

Vulnerability Details

CVEID:CVE-2023-30990
**DESCRIPTION:**IBM i 7.2, 7.3, 7.4, and 7.5 could allow a remote attacker to execute CL commands as QUSER, caused by an exploitation of DDM architecture. IBM X-Force ID: 254036.
CVSS Base score: 8.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254036 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM i	7.5
IBM i	7.4
IBM i	7.3
IBM i	7.2

Remediation/Fixes

The issue can be fixed by applying a PTF to IBM i. IBM i releases 7.5, 7.4, 7.3, and 7.2 will be fixed.

The IBM i PTF numbers for IBM i 5770-SS1 Base Operating System contain the fix for the vulnerability.

IBM i Release| 5770-SS1
PTF Number| PTF Download Link
—|—|—
7.5| SI83472| <https://www.ibm.com/support/pages/ptf/SI83472>
7.4| SI83473| <https://www.ibm.com/support/pages/ptf/SI83473>
7.3| SI83474| <https://www.ibm.com/support/pages/ptf/SI83474>
7.2| SI84090| <https://www.ibm.com/support/pages/ptf/SI84090>

<https://www.ibm.com/support/fixcentral>

Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmibm_i_7.5_preventative_service_planningMatch7.5.0

ibmplanning_analyticsMatch7.4.0

ibmiMatch7.5.0

ibmiMatch7.4.0

ibmiMatch7.3.0

ibmiMatch7.2.0

ibmplanning_analyticsMatch7.3.0

ibmplanning_analyticsMatch7.2.0

VendorProductVersionCPE
ibmibm_i_7.5_preventative_service_planning7.5.0cpe:2.3:a:ibm:ibm_i_7.5_preventative_service_planning:7.5.0:*:*:*:*:*:*:*
ibmplanning_analytics7.4.0cpe:2.3:a:ibm:planning_analytics:7.4.0:*:*:*:*:*:*:*
ibmi7.5.0cpe:2.3:o:ibm:i:7.5.0:*:*:*:*:*:*:*
ibmi7.4.0cpe:2.3:o:ibm:i:7.4.0:*:*:*:*:*:*:*
ibmi7.3.0cpe:2.3:o:ibm:i:7.3.0:*:*:*:*:*:*:*
ibmi7.2.0cpe:2.3:o:ibm:i:7.2.0:*:*:*:*:*:*:*
ibmplanning_analytics7.3.0cpe:2.3:a:ibm:planning_analytics:7.3.0:*:*:*:*:*:*:*
ibmplanning_analytics7.2.0cpe:2.3:a:ibm:planning_analytics:7.2.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	ibm_i_7.5_preventative_service_planning	7.5.0	cpe:2.3:a:ibm:ibm_i_7.5_preventative_service_planning:7.5.0:::::::*
ibm	planning_analytics	7.4.0	cpe:2.3:a:ibm:planning_analytics:7.4.0:::::::*
ibm	i	7.5.0	cpe:2.3:o:ibm:i:7.5.0:::::::*
ibm	i	7.4.0	cpe:2.3:o:ibm:i:7.4.0:::::::*
ibm	i	7.3.0	cpe:2.3:o:ibm:i:7.3.0:::::::*
ibm	i	7.2.0	cpe:2.3:o:ibm:i:7.2.0:::::::*
ibm	planning_analytics	7.3.0	cpe:2.3:a:ibm:planning_analytics:7.3.0:::::::*
ibm	planning_analytics	7.2.0	cpe:2.3:a:ibm:planning_analytics:7.2.0:::::::*

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

54.1%

JSON

Related for 73B022FA4673D934779E290883DA109DD10A0A674E606AD5067E34CAAB4BA5B6