Lucene search

K
ibmIBM7EB918D28BA855EE45E5C2C2E682A5D1EA9963D71FADFC79E5EED686CAFAB516
HistoryMar 15, 2024 - 5:41 p.m.

Security Bulletin: Vulnerability in Apache Solr affects IBM Operations Analytics - Log Analysis (CVE-2023-40167)

2024-03-1517:41:32
www.ibm.com
7
apache solr
ibm operations analytics
log analysis
http request smuggling
jetty
web cache poisoning
firewall bypass
xss attacks
vulnerability
fix
upgrade

6.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

24.9%

Summary

There is a potential HTTP request smuggling vulnerability in Apache Solr. This has been addressed.

Vulnerability Details

CVEID:CVE-2023-40167
**DESCRIPTION:**Jetty is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP/1 request header. By sending a specially crafted request, a remote attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
Log Analysis 1.3.7.x

Remediation/Fixes

Principal Product and Version(s) Fix details
IBM Operations Analytics - Log Analysis version 1.3.7.x

Install Log Analysis 1.3.8 and upgrade to Log Analysis version 1.3.8 Fix Pack 1

You can download the release from Passport Advantage. Part number:
M0GJREN IBM Operations Analytics Log Analysis v1.3.8 Linux 64 bit
M0GJSEN IBM Operations Analytics Log Analysis v1.3.8 zLinux 64 bit
M0GJTEN IBM Operations Analytics Log Analysis v1.3.8 Power8 ppc64le

Download the 1.3.8-TIV-IOALA-FP1

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm smartcloud analyticseq1.3.7.

6.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

24.9%