Lucene search

K
ibmIBM83D595203B6140034A8876F4E29A2690A2EC6A8B0A81CF4C8AD32F2B3712FE8A
HistoryMar 15, 2024 - 6:04 p.m.

Security Bulletin: Potential vulnerability in Eclipse Jetty used by Apache Solr affects IBM Operations Analytics - Log Analysis (CVE-2023-36479)

2024-03-1518:04:54
www.ibm.com
11
eclipse jetty
apache solr
ibm operations analytics
log analysis
vulnerability
cve-2023-36479
security
update

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

23.0%

Summary

Eclipse Jetty in Apache Solr could provide weaker than expected security. This has been addressed.

Vulnerability Details

CVEID:CVE-2023-36479
**DESCRIPTION:**Eclipse Jetty could provide weaker than expected security, caused by an errant command quoting flaw in the org.eclipse.jetty.servlets.CGI Servlet. A remote authenticated attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 3.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266435 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
Log Analysis 1.3.7.x

Remediation/Fixes

Principal Product and Version(s) Fix details
IBM Operations Analytics - Log Analysis version 1.3.7.x

Install Log Analysis 1.3.8 and upgrade to Log Analysis version 1.3.8 Fix Pack 1

You can download the release from Passport Advantage. Part number:
M0GJREN IBM Operations Analytics Log Analysis v1.3.8 Linux 64 bit
M0GJSEN IBM Operations Analytics Log Analysis v1.3.8 zLinux 64 bit
M0GJTEN IBM Operations Analytics Log Analysis v1.3.8 Power8 ppc64le

Download the 1.3.8-TIV-IOALA-FP1

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsmartcloud_analytics_log_analysisMatch1.3.7.
CPENameOperatorVersion
ibm smartcloud analyticseq1.3.7.

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

23.0%