Security Bulletin: IBM Maximo Asset Management - There is a vulnerability in Java on z/OS used by IBM Maximo Asset Management application (CVE-2024-3933)

Summary

There is a vulnerability in Java on z/OS used by IBM Maximo Asset Management application.

Vulnerability Details

CVEID:CVE-2024-3933
**DESCRIPTION:**Eclipse Openj9 could allow a local authenticated attacker to bypass security restrictions, caused by the failure to restrict access to a buffer with an incorrect length value when executing an arraycopy sequence while the Concurrent Scavenge Garbage Collection cycle is active and the source and destination memory regions for arraycopy overlap. By sending a specially crafted request, an attacker could exploit this vulnerability to gain read and write to addresses beyond the end of the array range.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292491 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L)

Affected Products and Versions

Product versions affected:

• To determine the core product version, log in and view System Information. The core product version is the “Tivoli’s process automation engine” version. Please consult the Platform Matrix for a list of supported product combinations.

Remediation/Fixes

The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central and apply for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. Follow the installation instructions in the ‘readme’ documentation provided with each fix pack or interim fix.

For Maximo Asset Management 7.6:

Maximo Asset Management 7.6.1.3 iFix:

7.6.1.3-TIV-MBS-IF020 or latest Interim Fix available

|

FixCentral

Workarounds and Mitigations

None