Lucene search

IBM782A94BDAEB1E33B8783CE6A45634DBFDF994B63D666E74CD88DE0623822B291

HistoryApr 19, 2023 - 4:22 a.m.

Security Bulletin: OpenSSL publicly disclosed vulnerability affects IBM® MobileFirst Platform

2023-04-1904:22:55

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.004 Low

EPSS

Percentile

72.0%

JSON

Summary

IBM MobileFirst Platform Foundation has addressed the following vulnerabilities by updating the version of OpenSSL

Vulnerability Details

CVEID:CVE-2022-4304
**DESCRIPTION:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246612 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-0215
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a use-after-free error related to the incorrect handling of streaming ASN.1 data by the BIO_new_NDEF function. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246614 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-0286
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a type confusion error related to X.400 address processing inside an X.509 GeneralName. By passing arbitrary pointers to a memcmp call, a remote attacker could exploit this vulnerability to read memory contents or cause a denial of service.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246611 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H)

CVEID:CVE-2022-4450
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a double-free error related to the improper handling of specific PEM data by the PEM_read_bio_ex() function. By sending specially crafted PEM files for parsing, a remote attacker could exploit this vulnerability to cause the system to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246615 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-0216
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by an invalid pointer dereference related to the incorrect handling of malformed PKCS7 data. A remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246617 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-0401
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference during PKCS7 data verification. A remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246618 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-4203
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a read buffer overrun triggered by the improper handling of X.509 certificate verification. A remote attacker could exploit this vulnerability to cause the system to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246613 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-0217
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference related to the validation of certain DSA public keys. A remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246619 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM MobileFirst Foundation	8.0.0.0

Remediation/Fixes

Product(s)	Version Number(s) and/or range	Remediation/Fix/Instructions	Published artifacts with the fix
IBM MobileFirst Platform Foundation	8.0.0.0	iFix build 8.0.0.0-MFPF-IF202304111626 build includes fixes to resolve vulnerable third party libraries(PH53917).

Please download from Fix Central

iOS Native SDK - 8.0.2023040410

Android Native SDK - 8.0.2023040309

Cordova SDK - 8.0.2023040605

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm mobilefirst platform foundationeq8.0.0.0

CPE	Name	Operator	Version
	ibm mobilefirst platform foundation	eq	8.0.0.0

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.004 Low

EPSS

Percentile

72.0%

JSON

Related for 782A94BDAEB1E33B8783CE6A45634DBFDF994B63D666E74CD88DE0623822B291