Lucene search

IBM7EA473186C9B805C8C7658A39233BFE8D01762BA10A554CFBC75DB45EFBCC221

HistoryMay 20, 2024 - 3:36 p.m.

Security Bulletin: Multiple vulnerabilities affect Apache Solr shipped with IBM Operations Analytics - Log Analysis (CVE-2024-22201, CVE-2023-51775)

2024-05-2015:36:06

www.ibm.com

ibm operations analytics

log analysis

apache solr

denial of service

cve-2024-22201

cve-2023-51775

eclipse jetty

jose4j

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

Summary

Apache Solr is used by IBM Operations Analytics - Log Analysis as Indexing Engine server is vulnerable to denial of service.

Vulnerability Details

CVEID:CVE-2024-22201
**DESCRIPTION:**Eclipse Jetty is vulnerable to a denial of service, caused by a flaw when an HTTP/2 connection gets TCP congested. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the server to stop accepting new connections from valid clients, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/284253 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-51775
**DESCRIPTION:**jose4j is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted p2c value, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275907 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
Log Analysis	1.3.7.0
Log Analysis	1.3.7.1
Log Analysis	1.3.7.2

Remediation/Fixes

Principal Product and Version(s)	Fix details
IBM Operations Analytics - Log Analysis version 1.3.7.0, 1.3.7.1 and 1.3.7.2

Install Log Analysis 1.3.8 or upgrade to later fix pack

You can download the release from Passport Advantage. Part number:
M0GJREN IBM Operations Analytics Log Analysis v1.3.8 Linux 64 bit
M0GJSEN IBM Operations Analytics Log Analysis v1.3.8 zLinux 64 bit
M0GJTEN IBM Operations Analytics Log Analysis v1.3.8 Power8 ppc64le

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmsmartcloud_analytics_log_analysisMatch1.3.7.0

ibmsmartcloud_analytics_log_analysisMatch1.3.7.1

ibmsmartcloud_analytics_log_analysisMatch1.3.7.2

CPENameOperatorVersion
ibm smartcloud analyticseq1.3.7.0
ibm smartcloud analyticseq1.3.7.1
ibm smartcloud analyticseq1.3.7.2

Name	Operator	Version
ibm smartcloud analytics	eq	1.3.7.0
ibm smartcloud analytics	eq	1.3.7.1
ibm smartcloud analytics	eq	1.3.7.2

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

Related for 7EA473186C9B805C8C7658A39233BFE8D01762BA10A554CFBC75DB45EFBCC221