Lucene search

IBM84F56416F785FC236B9625D9F4D9B997F2296B1DBF1AF42FEA8D23B9D422370C

HistoryMay 11, 2023 - 4:24 p.m.

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-27554)

2023-05-1116:24:40

www.ibm.com

ibm websphere

maximo asset management

security bulletin

vulnerability

xml external entity injection

cve-2023-27554

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

0.001 Low

EPSS

Percentile

47.7%

JSON

Summary

IBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Industry Solutions (including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, SmartCloud Control Desk, and TRIRIGA Energy Optimization. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Maximo Asset Management core product versions affected:

Principal Product and Version(s)

Affected Supporting Product and Version

—|—
Maximo Asset Management 7.6.1.2
Maximo Asset Management 7.6.1.3 |

IBM WebSphere Application Server 9.0
IBM WebSphere Application Server 8.5.5 Full Profile

To determine the core product version, log in and view System Information. The core product version is the “Tivoli’s process automation engine” version. Please consult the Platform Matrix for a list of supported product combinations.

Remediation/Fixes

Security Bulletin: IBM WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554)

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmmaximo_asset_managementMatch7.6.1

ibmmaximo_for_life_sciencesMatch7.6

ibmmaximo_for_oil_and_gasMatch7.6.1

ibmmaximo_for_aviationMatch7.6.8

ibmmaximo_for_aviationMatch7.6.7

ibmmaximo_for_aviationMatch7.6.6

ibmcontrol_deskMatch7.6.1.1

ibmcontrol_deskMatch7.6.1

ibmmaximo_for_nuclear_powerMatch7.6.1

ibmmaximo_for_utilitiesMatch7.6.0.2

ibmmaximo_for_utilitiesMatch7.6.0.1

ibmmaximo_spatial_asset_managementMatch7.6.0.5

ibmmaximo_spatial_asset_managementMatch7.6.0.4

ibmmaximo_spatial_asset_managementMatch7.6.0.3

ibmmaximo_spatial_asset_managementMatch7.6.0.2

ibmmaximo_for_service_providersMatch7.6.3.3

ibmmaximo_for_service_providersMatch7.6.3.2

ibmmaximo_for_service_providersMatch7.6.3.1

ibmmaximo_asset_configuration_managerMatch7.6.7.1

ibmmaximo_asset_configuration_managerMatch7.6.7

ibmmaximo_asset_configuration_managerMatch7.6.6

ibmmaximo_for_transportationMatch7.6.2

CPENameOperatorVersion
ibm maximo asset managementeq7.6.1
maximo for life scienceseq7.6
maximo for oil and gaseq7.6.1
ibm maximo for aviationeq7.6.8
ibm maximo for aviationeq7.6.7
ibm maximo for aviationeq7.6.6
ibm control deskeq7.6.1.1
ibm control deskeq7.6.1
maximo for nuclear powereq7.6.1
maximo for utilitieseq7.6.0.2

Name	Operator	Version
ibm maximo asset management	eq	7.6.1
maximo for life sciences	eq	7.6
maximo for oil and gas	eq	7.6.1
ibm maximo for aviation	eq	7.6.8
ibm maximo for aviation	eq	7.6.7
ibm maximo for aviation	eq	7.6.6
ibm control desk	eq	7.6.1.1
ibm control desk	eq	7.6.1
maximo for nuclear power	eq	7.6.1
maximo for utilities	eq	7.6.0.2

Rows per page:

1-10 of 221

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

0.001 Low

EPSS

Percentile

47.7%

JSON

Related for 84F56416F785FC236B9625D9F4D9B997F2296B1DBF1AF42FEA8D23B9D422370C