Security Bulletin: Vulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager. (CVE-2023-34396, CVE-2023-34149)

Summary

Vulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager (CVE-2023-34396, CVE-2023-34149)

Vulnerability Details

CVEID:CVE-2023-34396
**DESCRIPTION:**Apache Struts is vulnerable to a denial of service, caused by a flaw when processing Multipart request containing non-file normal form fields. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257946 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-34149
**DESCRIPTION:**Apache Struts is vulnerable to a denial of service, caused by a flaw with only handling setProperty() but not getProperty(). By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257947 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

In order to fix this vulnerability, please follow the below steps:

For TADDM 7.3.0.7 - 7.3.0.9, please download the below efix and apply it.

Please review eFix readme in etc/<efix_name>_readme.txt

For TADDM 7.3.0.0 - 7.3.0.6, please upgrade TADDM to 7.3.0.7 or above (IBM recommend the latest release, 7.3.0.10) and apply the above efix.

Workarounds and Mitigations

The above eFix is applicable can be downloaded and applied directly.