Security Bulletin: WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability

2023-03-23T08:09:05

Description

## Summary WebSphere Application Server, used by IBM Tivoli Network Manager (ITNM) IP Edition, is vulnerable to a remote code execution vulnerability. ## Vulnerability Details ** CVEID: **[CVE-2023-23477](<https://vulners.com/cve/CVE-2023-23477>) ** DESCRIPTION: **IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects. IBM X-Force ID: 245513. CVSS Base score: 8.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245513](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245513>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) ## Affected Products and Versions Affected Product(s)| Version(s) ---|--- ITNM| 4.2 GA through to 4.2.0.13 ## Remediation/Fixes IBM Strongly recommends addressing the vulnerability now. The issue has been fixed in WebSphere 9.0.5.8, 8.5.5.20 (<https://www.ibm.com/support/pages/node/6891111>). ITNM 4.2 Fix Pack 14 supports these versions of WebSphere. Upgrading to ITNM 4.2 Fix Pack 14 or above and using recommended version of WebSphere will fix the vulnerability. ## Workarounds and Mitigations None ##

Affected Software

CPE Name	Name	Version
	tivoli network manager ip edition	4.2.0

{"id": "77DA5502DF7BE7823F6901796BCC0F7902A995AA8FC03FA02A66A2586921BF77", "vendorId": null, "type": "ibm", "bulletinFamily": "software", "title": "Security Bulletin: WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability", "description": "## Summary\n\nWebSphere Application Server, used by IBM Tivoli Network Manager (ITNM) IP Edition, is vulnerable to a remote code execution vulnerability. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2023-23477](<https://vulners.com/cve/CVE-2023-23477>) \n** DESCRIPTION: **IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects. IBM X-Force ID: 245513. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245513](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245513>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNM| 4.2 GA through to 4.2.0.13 \n \n\n\n## Remediation/Fixes\n\nIBM Strongly recommends addressing the vulnerability now. The issue has been fixed in WebSphere 9.0.5.8, 8.5.5.20 (<https://www.ibm.com/support/pages/node/6891111>). ITNM 4.2 Fix Pack 14 supports these versions of WebSphere. Upgrading to ITNM 4.2 Fix Pack 14 or above and using recommended version of WebSphere will fix the vulnerability.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "published": "2023-03-23T08:09:05", "modified": "2023-03-23T08:09:05", "epss": [{"cve": "CVE-2023-23477", "epss": 0.00242, "percentile": 0.60774, "modified": "2023-06-06"}], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.ibm.com/support/pages/node/6965702", "reporter": "IBM", "references": [], "cvelist": ["CVE-2023-23477"], "immutableFields": [], "lastseen": "2023-06-06T21:39:02", "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cnvd", "idList": ["CNVD-2023-07975"]}, {"type": "cve", "idList": ["CVE-2023-23477"]}, {"type": "ibm", "idList": ["281C59FFC4546047F10203BFC661B999603744F9E20A8555F214C86881F35113", "42386727D538FF008596FFBA55B9DA2ADE383B9E082651CEE3F3216B78E1FC36", "49B2714E705EEE4FFE71353487925E5F9B967A62A3382CDC06A326DDEA79A0E5", "61612DC94A9FD17DB91F89818055ED0E9265AC28BA2CB1DDA665B2B8812209C9", "618D0C989D8842022EE4E482342F9F276B09F9FF89045439A041B1DC152F9669", "6263EEE0E93988072DB6BDEAEC99464F7A84B6B52A5ADECB6BABD35F9EC83D98", "6D5DA1D4B75D67E3006924A3281DF6B2E115AA753DB399A73F56D4D49E7B1A5C", "728DD2734EBBE317EEA80FA2FEC8762009C53C2E1F0E919BA2C47C8FB867BFA4", "7F567D63F751C15B4466C3C503B9CA211C79AA803963EE025864969BB01A2CCA", "85D0D988F5EB994076D7695A5FC17883E1FE4A35295C5EF61A8DAC947B7A95AC", "AAFB41A860583793511C376EFA75DA2371ECFD2DE6A284FEB13D83732896D98B", "B243BB258ACB0B53366BD53B29DC5E8C614C1F71792D683239FBF23804119937", "B564E1ABFB8B7A90EA8A725FFBF29881EAA1EFBE1241553079D89CD6E5FB195C", "C79A1E4DB71163ACE0A24BC1A74F041F58F9C43C0A3AAF7CC244B3C76F0F81D9", "CDAA00A0498EDFE0307C588CB3B5F3F1238ED20C78DCBC1118346250B08B8C13", "DCEC48F93F97671E2AE0CFF8C7D217A96EEE6429AA82EE6EB4A21F3576728F47", "DF5E810E583D8A946C2D13C3DEEF6C9D4CCF503D5E363751995DDA5154870113", "E34E511A2630387F93D77987AAF7878D79B4A1D4823C600C4F2AB9AF1DC16154", "E4F44DE1086A4A098B1CB361B941D5BE475DA458FC0B0207D5963C26601CF6CD", "EAC62399B5ED6153C031B3A1EE54F7095211001CCBF1FA61A01EE1A3C5170601", "FAFDD5F74CE6FCCB94CD4FB8F4FF974ECA98AB546E66799B87DEDE93B1B57A46", "FFF4FE1183282442D6F01378F3FD4C987299980B0C46585F4B364F8E32DEA72C"]}, {"type": "nessus", "idList": ["WEBSPHERE_6891111.NASL"]}]}, "epss": [{"cve": "CVE-2023-23477", "epss": 0.00242, "percentile": 0.60643, "modified": "2023-05-02"}], "score": {"value": 9.5, "vector": "NONE"}, "vulnersScore": 9.5}, "_state": {"dependencies": 1686093171, "score": 1686087638, "epss": 0}, "_internal": {"score_hash": "66da3c852f048974cf48f05b24666c24"}, "affectedSoftware": [{"version": "4.2.0", "operator": "eq", "name": "tivoli network manager ip edition"}]}

{"ibm": [{"lastseen": "2023-03-20T13:33:09", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Workload Scheduler, which results in IBM Workload Scheduled being impacted by this vulnerability. IBM WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability. This has been addressed.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Workload Scheduler| 9.4 \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS) which is shipped with IBM Workload Scheduler. IBM recommends that these remediations are applied to all instances of IBM Workload Scheduler. \n\n<https://www.ibm.com/support/pages/node/6891111>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2023-03-20T10:08:24", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM WebSphere Application Server (CVE-2023-23477) shipped with IBM Workload Scheduler 9.4", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2023-23477"], "modified": "2023-03-20T10:08:24", "id": "FFF4FE1183282442D6F01378F3FD4C987299980B0C46585F4B364F8E32DEA72C", "href": "https://www.ibm.com/support/pages/node/6964524", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-06T21:36:40", "description": "## Summary\n\nEmbedded IBM WebSphere Application Server is shipped with IBM Tivoli Netcool Configuration Manager version 6.4.12 Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nITNCM| 6.4.2 \n \n## Remediation/Fixes\n\nAffected Product(s)| Version(s)| Remediation \n---|---|--- \nITNCM| 6.4.2| \n\n[IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111> \"IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2023-23477\\)\" )\n\nSee section: For V8.5.0.0 through 8.5.5.19: \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-06-02T13:43:42", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in embedded IBM WebSphere Application Server which is shipped with IBM Tivoli Netcool Configuration Manager (CVE-2023-23477)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-06-02T13:43:42", "id": "CDAA00A0498EDFE0307C588CB3B5F3F1238ED20C78DCBC1118346250B08B8C13", "href": "https://www.ibm.com/support/pages/node/7000959", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:40:12", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM WebSphere Service Registry and Repository. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version(s)** \n---|--- \nWebSphere Service Registry and Repository V8.5| WebSphere Application Server V8.5.5 \n \n \n\n\n## Remediation/Fixes\n\nPlease consult the security bulletin: \n\n[Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111>) \n \nfor vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-14T16:53:13", "type": "ibm", "title": "Security Bulletin: Vulnerability identified in IBM WebSphere Application Server shipped with IBM WebSphere Service Registry and Repository (CVE-2023-23477)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-02-14T16:53:13", "id": "618D0C989D8842022EE4E482342F9F276B09F9FF89045439A041B1DC152F9669", "href": "https://www.ibm.com/support/pages/node/6955547", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:40:17", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager (SKLM/GKLM). Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Security Key Lifecycle Manager (SKLM) v3.0 | WebSphere Application Server v9.0.0.5 \nIBM Security Key Lifecycle Manager (SKLM) v3.0.1 | WebSphere Application Server v9.0.0.5 \nIBM Security Key Lifecycle Manager (SKLM) v4.0 | WebSphere Application Server v9.0.5.0 \nIBM Security Guardium Key Lifecycle Manager (GKLM) v4.1 | WebSphere Application Server v9.0.5.5 \n \n## Remediation/Fixes\n\nPlease consult the [Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111> \"Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2023-23477\\)\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-10T15:40:13", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2023-23477)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-02-10T15:40:13", "id": "DF5E810E583D8A946C2D13C3DEEF6C9D4CCF503D5E363751995DDA5154870113", "href": "https://www.ibm.com/support/pages/node/6954723", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:40:23", "description": "## Summary\n\nThe security issue described in CVE-2023-23477 has been identified in the WebSphere Application Server traditional included as part of IBM Tivoli Composite Application Manager for Application Diagnostics\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nTivoli Composite Application Manager for Application Diagnostics| 7.1.0 \n \n\n\n## Remediation/Fixes\n\nFollow the WebSphere security bulletin, <https://www.ibm.com/support/pages/node/6891111> to update WebSphere Application Servers.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-09T05:05:13", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Composite Application Manager for Application Diagnostics Installed WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-02-09T05:05:13", "id": "FAFDD5F74CE6FCCB94CD4FB8F4FF974ECA98AB546E66799B87DEDE93B1B57A46", "href": "https://www.ibm.com/support/pages/node/6954391", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:40:42", "description": "## Summary\n\nWebsphere Application Server (WAS) is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version** \n---|--- \nWebGUI 8.1.0 GA and FP| Websphere Application Server V8.5 and V9 \n \n\n\n## Remediation/Fixes\n\nPlease consult the security bulletin [IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111> \"IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2023-23477\\)\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-07T02:42:08", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2023-23477)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-02-07T02:42:08", "id": "6D5DA1D4B75D67E3006924A3281DF6B2E115AA753DB399A73F56D4D49E7B1A5C", "href": "https://www.ibm.com/support/pages/node/6953483", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:40:46", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM WebSphere Remote Server. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM WebSphere Remote Server | 9.0, 8.5 \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server which is shipped with IBM WebSphere Remote Server. \n \n\n\nPrincipal Product and Version(s)\n\n| \n\nAffected Supporting Product and Version\n\n| \n\nAffected Supporting Product Security Bulletin \n \n---|---|--- \n \nIBM WebSphere Remote Server \n9.0, 8.5\n\n| \n\nIBM WebSphere Application Server 9.0, 8.5\n\n| \n\n[IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-01T14:07:15", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-23477)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-02-01T14:07:15", "id": "85D0D988F5EB994076D7695A5FC17883E1FE4A35295C5EF61A8DAC947B7A95AC", "href": "https://www.ibm.com/support/pages/node/6909455", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:40:48", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Industry Solutions (including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, SmartCloud Control Desk, and TRIRIGA Energy Optimization. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions of the IBM Maximo Asset Management core product. Older versions of Maximo Asset Management may be impacted. The recommended action is to update to the latest version.\n\n**Maximo Asset Management core product versions affected:**\n\nPrincipal Product and Version(s)\n\n| \n\nAffected Supporting Product and Version \n \n---|--- \nMaximo Asset Management 7.6.1.2 \nMaximo Asset Management 7.6.1.3 | \n\nIBM WebSphere Application Server 9.0 \nIBM WebSphere Application Server 8.5.5 Full Profile \n \n \n* To determine the core product version, log in and view System Information. The core product version is the \"Tivoli's process automation engine\" version. Please consult the [Platform Matrix](<https://www.ibm.com/support/pages/node/1288432> \"Platform Matrix\" ) for a list of supported product combinations.\n\n## Remediation/Fixes\n\n[Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111> \"Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2023-23477\\)\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-31T21:03:38", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-23477)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-01-31T21:03:38", "id": "42386727D538FF008596FFBA55B9DA2ADE383B9E082651CEE3F3216B78E1FC36", "href": "https://www.ibm.com/support/pages/node/6891159", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:40:49", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Business Monitor| 8.5.5 \nIBM Business Monitor| 8.5.6 \nIBM Business Monitor| 8.5.7 \n \n\n\n## Remediation/Fixes\n\nPlease consult the security bulletin [IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111> \"IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2023-23477\\)\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-01T07:18:51", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-23477)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-02-01T07:18:51", "id": "B243BB258ACB0B53366BD53B29DC5E8C614C1F71792D683239FBF23804119937", "href": "https://www.ibm.com/support/pages/node/6907889", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:40:23", "description": "## Summary\n\nIBM WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability. This has been addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2023-23477](<https://vulners.com/cve/CVE-2023-23477>) \n** DESCRIPTION: **IBM WebSphere Application Server traditional could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/245513](<https://exchange.xforce.ibmcloud.com/vulnerabilities/245513>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM WebSphere Application Server| 9.0 \nIBM WebSphere Application Server| 8.5 \n \n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading to the fixpack specified below.\n\nPlease note that this vulnerability applies only to version 9.0.0.0 through 9.0.5.7 and version 8.5.0.0 through 8.5.5.19. It does **not** apply to fix pack version 9.0.5.8 and later, and it does **not** apply to fix pack version 8.5.5.20 and later.\n\n**For IBM WebSphere Application Server traditional:**\n\n**For V9.0.0.0 through 9.0.5.7:** \n\u00b7 Apply Fix Pack 9.0.5.8 or later.\n\n**For V8.5.0.0 through 8.5.5.19:** \n\u00b7 Apply Fix Pack 8.5.5.20 or later.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-08T17:10:37", "type": "ibm", "title": "Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-02-08T17:10:37", "id": "B564E1ABFB8B7A90EA8A725FFBF29881EAA1EFBE1241553079D89CD6E5FB195C", "href": "https://www.ibm.com/support/pages/node/6891111", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:40:27", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Business Automation Workflow. Information about a security vulnerability affecting IBM WebSphere Application Server Traditional have been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s)| Status| Note \n---|---|---|--- \nIBM Business Automation Workflow containers| V22.0.1 - V22.0.2 - all fixes \nV21.0.1 - V21.0.3 - all fixes \nV20.0.0.1 - V20.0.0.2| Not affected| \nIBM Business Automation Workflow traditional| V22.0.1 - v22.0.2 \nV21.0.3 - V21.0.3.1| Not affected| \n\nThe following minimum fixpack levels of WebSphere Application Server V8.5.5 is not affected by this vulnerability\n\nIBM Business Automation Workflow [V21.0.3](<https://www.ibm.com/support/pages/node/6507343> \"V21.0.3\" ): V8.5.5.20 \nIBM Business Automation Workflow [V22.0.1](<https://www.ibm.com/support/pages/node/6589917> \"V22.0.1\" ): V8.5.5.21 \nIBM Business Automation Workflow [V22.0.2](<https://www.ibm.com/support/pages/installing-ibm-business-automation-workflow-2202> \"V22.0.2\" ): V8.5.5.22 \n \nIBM Business Automation Workflow traditional| V21.0.1 - V21.0.2 \nV20.0.0.1 - V20.0.0.2 \nV19.0.0.3 \nearlier unsupported versions| Affected| \n\nCumulative Fixes cannot automatically install interim fixes for the base Application Server. It is important to follow the complete installation instructions and manually ensure that recommended security fixes are installed.\n\nFor earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product. \n \nIBM Business Automation Workflow Enterprise Service Bus| V22.0.2| Not affected| \n\nThe following minimum fixpack level of WebSphere Application Server V8.5.5 is not affected by this vulnerability\n\nIBM Business Automation Workflow Enterprise Service Bus [V22.0.2](<https://www.ibm.com/support/pages/installing-ibm-business-automation-workflow-2202> \"V22.0.2\" ): V8.5.5.22\n\nFor earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product. \n \n## Remediation/Fixes\n\nPlease consult the Security Bulletin: [IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111> \"IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2023-23477\\)\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-07T11:05:31", "type": "ibm", "title": "Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Automation Workflow (CVE-2023-23477)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-02-07T11:05:31", "id": "EAC62399B5ED6153C031B3A1EE54F7095211001CCBF1FA61A01EE1A3C5170601", "href": "https://www.ibm.com/support/pages/node/6953497", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:40:28", "description": "## Summary\n\nA vulnerabilitiy has been identified in IBM WebSphere Application Server shipped with IBM Security Verify Governance, Identity Manager software component(CVE-2023-23477)\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Security Verify Governance, Identity Manager software component| 10.0.1 \n \n\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s) \n\n| \n\nAffected Supporting Product and Version(s)\n\n| \n\nAffected Supporting Product Security Bulletin \n \n---|---|--- \n \nIBM Security Verify Governance, Identity Manager software component\n\n| \n\nWAS 9.0\n\n| \n\n[Security Bulletin: WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability(CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111> \"Security Bulletin: WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability\\(CVE-2023-23477\\)\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-06T18:59:09", "type": "ibm", "title": "Security Bulletin: IBM Security Verify Governance, Identity Manager software component is affected by a vulnerabilitiy CVE-2023-23477", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-02-06T18:59:09", "id": "6263EEE0E93988072DB6BDEAEC99464F7A84B6B52A5ADECB6BABD35F9EC83D98", "href": "https://www.ibm.com/support/pages/node/6953461", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:40:29", "description": "## Summary\n\nIBM WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability. This has been addressed.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nJazz for Service Management| 1.1.3 \n \n## Remediation/Fixes\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nJazz for Service Management version 1.1.3.7 - 1.1.3.16| Websphere Application Server Full Profile 9.0| [Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111> \"Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2023-23477\\)\" ) \nJazz for Service Management version 1.1.3- 1.1.3.14| \n\nWebsphere Application Server Full Profile 8.5.5\n\n| [Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111> \"Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2023-23477\\)\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-03T16:08:22", "type": "ibm", "title": "Security Bulletin: IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to a remote code execution vulnerability (CVE-2023-23477)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-02-03T16:08:22", "id": "49B2714E705EEE4FFE71353487925E5F9B967A62A3382CDC06A326DDEA79A0E5", "href": "https://www.ibm.com/support/pages/node/6953111", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:39:39", "description": "## Summary\n\nIBM WebSphere Application Server is used by IBM Tivoli System Automation Application Manager and is vulnerable to a remote code execution vulnerability. Required fixes for affected WebSphere Application Server has been published in the security bulletin links below.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Tivoli System Automation Application Manager| 4.1 \n \n\n\n## Remediation/Fixes\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Tivoli System Automation Application Manager 4.1| WebSphere Application Server 8.5| [Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111> \"Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2023-23477\\)\" ) \nIBM Tivoli System Automation Application Manager 4.1| WebSphere Application Server 9.0| [Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111> \"Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2023-23477\\)\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-20T12:00:10", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-23477)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-02-20T12:00:10", "id": "C79A1E4DB71163ACE0A24BC1A74F041F58F9C43C0A3AAF7CC244B3C76F0F81D9", "href": "https://www.ibm.com/support/pages/node/6956880", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:39:28", "description": "## Summary\n\nIBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On is vulnerable to remote code execution vulnerability (CVE-2023-23477). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Security Access Manager for Enterprise Single-Sign On| 8.2.1, 8.2.2 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now by updating your systems.**\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Security Access Manager for Enterprise Single Sign-On 8.2.1| IBM WebSphere Application Server 8.5| [Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111> \"Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2023-23477\\)\" ) \nIBM Security Access Manager for Enterprise Single Sign-On 8.2.2| IBM WebSphere Application Server 8.5| [Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111> \"Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2023-23477\\)\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-28T04:04:17", "type": "ibm", "title": "Security Bulletin: IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On is vulnerable to remote code execution vulnerability (CVE-2023-23477)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-02-28T04:04:17", "id": "728DD2734EBBE317EEA80FA2FEC8762009C53C2E1F0E919BA2C47C8FB867BFA4", "href": "https://www.ibm.com/support/pages/node/6958675", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:39:32", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearCase. Information about security vulnerabilities affecting WAS have been published in security bulletins.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Rational ClearCase| 10.0.0 \nIBM Rational ClearCase| 9.1 \nIBM Rational ClearCase| 9.0.2 \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletin(s) for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS) which is shipped with IBM Rational ClearCase. \n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearCase, versions 10.0.0.x, 9.0.2.x, 9.1.x| IBM WebSphere Application Server versions 8.5, and 9.0.| \n\n[Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111> \"Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2023-23477\\)\" ) \n \n**ClearCase Versions**\n\n| \n\n**Applying the fix** \n \n---|--- \n10.0.0.x, 9.0.2.x, 9.1.x| \n\n 1. Determine the WAS version used by your CCRC WAN server. Navigate to the CCRC profile directory (either the profile you specified when installing ClearCase, or `<ccase-home>/common/ccrcprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section. Check your installed version of IBM WebSphere Application Server against this bulletin's list of vulnerable versions.\n 2. Identify the latest available fixes (per the bulletin(s) listed above) for the version of WAS used for CCRC WAN server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n \n_For 9.0.1.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-27T13:08:07", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2023-23477)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-02-27T13:08:07", "id": "E34E511A2630387F93D77987AAF7878D79B4A1D4823C600C4F2AB9AF1DC16154", "href": "https://www.ibm.com/support/pages/node/6958458", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:39:34", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is used by the IBM Rational ClearQuest server and web components. Information about security vulnerabilities affecting WAS have been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Rational ClearQuest | 9.0.1 \nIBM Rational ClearQuest | 9.0.2 \nIBM Rational ClearQuest | 9.1 \nIBM Rational ClearQuest | 10.0 \n \n## Remediation/Fixes\n\nRefer to the following security bulletin(s) for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is used by IBM Rational ClearQuest. \n\n**Principal Product and Version(s)** | **Affected Supporting Product and Version** | **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearQuest, versions 9.0.1.x, 9.0.2.x, 9.1.0.x, 10.0.x | IBM WebSphere Application Server versions 8.5 and 9.0. | \n\n[Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111> \"Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2023-23477\\)\" ) \n \n**ClearQuest Versions**\n\n| \n\n**Applying the fix** \n \n---|--- \n9.0.1.x, 9.0.2.x, 9.1.0.x, 10.0.x | Apply the appropriate IBM WebSphere Application Server fix (see bulletin link above) directly to your CM server host. No ClearQuest-specific steps are necessary. \n \n_For 9.0.0.x, 8.0.1.x, 8.0.0.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-24T15:07:34", "type": "ibm", "title": "Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-23477)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-02-24T15:07:34", "id": "DCEC48F93F97671E2AE0CFF8C7D217A96EEE6429AA82EE6EB4A21F3576728F47", "href": "https://www.ibm.com/support/pages/node/6958024", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:39:36", "description": "## Summary\n\nIBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a remote code execution vulnerability (CVE-2023-23477)\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) and Version(s)| Affecting Product(s) and Version(s) \n---|--- \n \nIBM WebSphere Hybrid Edition\n\n * 5.1\n| \n\nIBM WebSphere Application Server\n\n * 9.0\n * 8.5 \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading the fixpack level as described in [Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111>) .\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-22T14:53:47", "type": "ibm", "title": "Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a remote code execution vulnerability (CVE-2023-23477)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-02-22T14:53:47", "id": "7F567D63F751C15B4466C3C503B9CA211C79AA803963EE025864969BB01A2CCA", "href": "https://www.ibm.com/support/pages/node/6957406", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:39:37", "description": "## Summary\n\nIBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a remote code execution vulnerability (CVE-2023-23477)\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) and Verson(s)| Affecting Product(s) and Version(s) \n---|--- \n \nIBM Cloud Pak for Applications\n\n * 5.1\n| \n\nIBM WebSphere Application Server\n\n * 9.0\n * 8.5 \n \n\n\n## Remediation/Fixes\n\nBM strongly recommends addressing the vulnerability now by upgrading the fixpack level as described in [Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-22T14:54:35", "type": "ibm", "title": "Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a remote code execution vulnerability (CVE-2023-23477)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-02-22T14:54:35", "id": "281C59FFC4546047F10203BFC661B999603744F9E20A8555F214C86881F35113", "href": "https://www.ibm.com/support/pages/node/6957408", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:38:26", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Case Manager| 5.3CD \n \n\n\n## Remediation/Fixes\n\nPlease consult the security bulletin [Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111> \"Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability \\(CVE-2023-23477\\)\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-04-03T21:39:36", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2023-23477)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-04-03T21:39:36", "id": "61612DC94A9FD17DB91F89818055ED0E9265AC28BA2CB1DDA665B2B8812209C9", "href": "https://www.ibm.com/support/pages/node/6980519", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:40:20", "description": "## Summary\n\nIBM WebSphere Application Server traditional is shipped with IBM Intelligent Operations Center. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIntelligent Operations Center (IOC)| 1.5.0, 1.6.0, 1.6.0.1, 1.6.0.2, 1.6.0.3 \n \n\n\n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: [Security Bulletin:Security Bulletin: IBM WebSphere Application Server is vulnerable to Server-Side Request Forgery (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111> \"Security Bulletin:Security Bulletin: IBM WebSphere Application Server is vulnerable to Server-Side Request Forgery \\(CVE-2022-35282\\)\" ) . Installation instructions for the fix are included in the readme document that is in the fix package. \n\nAlso you can download the latest IBM Intelligent Operations Center Version 5.2.3 from the following link:\n\n[IBM Intelligent Operations Center Version 5.2.3](<https://www.ibm.com/support/pages/node/6610605> \"\" )\n\nInstallation instructions for the fix are included in the readme document that is in the fix package.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-10T06:07:15", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center (CVE-2023-23477)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-35282", "CVE-2023-23477"], "modified": "2023-02-10T06:07:15", "id": "AAFB41A860583793511C376EFA75DA2371ECFD2DE6A284FEB13D83732896D98B", "href": "https://www.ibm.com/support/pages/node/6954685", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T21:39:33", "description": "## Summary\n\nWebsphere Application Server (WAS) is shipped as a component of IBM Operations Analytics Predictive Insights. Information about WebSphere Application Server vulnerability CVE-2020-35282 to remote code execution has been published.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version(s)** \n---|--- \nIBM Operations Analytics Predictive Insights(All)| Websphere Application Server 9.0 \nIBM Operations Analytics Predictive Insights(All)| Websphere Application Server 8.5 \n \n\n\n## Remediation/Fixes\n\nFor more information and the recommended solution see the [Security Bulletin: IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)](<https://www.ibm.com/support/pages/node/6891111>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-27T15:01:55", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server traditional shipped with IBM Operations Analytics Predictive Insights (CVE-2023-23477)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-35282", "CVE-2023-23477"], "modified": "2023-02-27T15:01:55", "id": "E4F44DE1086A4A098B1CB361B941D5BE475DA458FC0B0207D5963C26601CF6CD", "href": "https://www.ibm.com/support/pages/node/6958476", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-05-17T16:44:38", "description": "The IBM WebSphere Application Server running on the remote host is affected by a remote code execution vulnerability.\nIBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-03-07T00:00:00", "type": "nessus", "title": "IBM WebSphere Application Server 8.5.x < 8.5.5.20 / 9.x < 9.0.5.8 RCE (6891111)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2023-23477"], "modified": "2023-03-08T00:00:00", "cpe": ["cpe:/a:ibm:websphere_application_server"], "id": "WEBSPHERE_6891111.NASL", "href": "https://www.tenable.com/plugins/nessus/172173", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(172173);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/08\");\n\n script_cve_id(\"CVE-2023-23477\");\n script_xref(name:\"IAVA\", value:\"2022-A-0389\");\n\n script_name(english:\"IBM WebSphere Application Server 8.5.x < 8.5.5.20 / 9.x < 9.0.5.8 RCE (6891111)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application server is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The IBM WebSphere Application Server running on the remote host is affected by a remote code execution vulnerability.\nIBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the\nsystem with a specially crafted sequence of serialized objects.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.ibm.com/support/pages/node/6891111\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to IBM WebSphere Application Server version 8.5.5.20, 9.0.5.8 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-23477\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/01/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/01/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/03/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:websphere_application_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"websphere_detect.nasl\", \"ibm_enum_products.nbin\", \"ibm_websphere_application_server_nix_installed.nbin\");\n script_require_keys(\"installed_sw/IBM WebSphere Application Server\");\n\n exit(0);\n}\n\n\ninclude('vcf.inc');\n\nvar app = 'IBM WebSphere Application Server';\nvar fix = 'Interim Fix PH41676';\n\nget_install_count(app_name:app, exit_if_zero:TRUE);\nvar app_info = vcf::combined_get_app_info(app:app);\nvcf::check_granularity(app_info:app_info, sig_segments:4);\n\nconstraints = [\n { 'min_version' : '9.0', 'fixed_version' : '9.0.5.8' },\n { 'min_version' : '8.5', 'fixed_version' : '8.5.5.20' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "cnvd": [{"lastseen": "2023-02-10T11:24:42", "description": "IBM WebSphere Application Server (WAS) is an application server product from International Business Machines (IBM). The product is a platform for JavaEE and Web services applications and is the foundation of the IBM WebSphere software platform.A code injection vulnerability exists in IBM WebSphere Application Server. An attacker exploits the vulnerability to execute arbitrary code on the system using a specially crafted sequence of serialized objects.", "cvss3": {}, "published": "2023-02-09T00:00:00", "type": "cnvd", "title": "IBM WebSphere Application Server Code Injection Vulnerability", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2023-23477"], "modified": "2023-02-10T00:00:00", "id": "CNVD-2023-07975", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-07975", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2023-06-07T17:54:19", "description": "IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects. IBM X-Force ID: 245513.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-03T19:15:00", "type": "cve", "title": "CVE-2023-23477", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2023-23477"], "modified": "2023-02-10T04:54:00", "cpe": ["cpe:/a:ibm:websphere_application_server:8.5", "cpe:/a:ibm:websphere_application_server:9.0"], "id": "CVE-2023-23477", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23477", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*"]}]}

Security Bulletin: WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability

Description

Affected Software

Related