Lucene search

K
ibmIBM941DA6946B94FEE5E79310CEA3C03EBD1C37FFCB3C608B3EF74E10D4784C7622
HistoryMay 08, 2024 - 7:24 p.m.

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Business Developer

2024-05-0819:24:56
www.ibm.com
12
ibm java sdk
rational business developer
cve-2024-20952
cve-2024-20918
cve-2024-20921
cve-2024-20919
cve-2024-20926
cve-2024-20945
cve-2023-33850

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.1

Confidence

High

EPSS

0.002

Percentile

55.2%

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology used by Rational Business Developer. Rational Business Developer has provided fixes for the applicable CVEs. These issues were disclosed as part of the IBM SDK, Java Technology Edition Quarterly CPU - Jan 2024 - Includes Oracle January 2024 CPU plus CVE-2023-33850.

Vulnerability Details

**CVEID:**CVE-2024-20952 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279685 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

**CVEID:**CVE-2024-20918 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279718 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

**CVEID:**CVE-2024-20921 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279734 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2024-20919 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high integrity impact.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279785 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)

**CVEID:**CVE-2024-20926 DESCRIPTION: An unspecified vulnerability in Java SE related to the Scripting component could allow a remote attacker to cause high confidentiality impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279716 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2024-20945 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a local authenticated attacker to cause high confidentiality impact.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279775 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2023-33850 DESCRIPTION: IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 257132.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257132 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
RBD 9.1
RBD 9.6
RBD 9.7

Remediation/Fixes

Product VRMF APAR Remediation / First Fix File Name
Rational Business Developer 9.1 None V9.1 is Out of Service. Customers with Service Extensions should contact IBM Support for further assistance. ****
Rational Business Developer 9.6 - 9.6.1 None https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Business+Developer&release=9.6&platform=All&function=all RBD_9.6_IBM_JDK8_SR8_FP20
Rational Business Developer 9.7 - 9.7.1 None https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Rational&product=ibm/Rational/Rational+Business+Developer&release=9.7.0&platform=All&function=all RBD_9.7_IBM_JDK8_SR8_FP20

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmrational_business_developerMatch9.1
OR
ibmrational_business_developerMatch9.6
OR
ibmrational_business_developerMatch9.7
VendorProductVersionCPE
ibmrational_business_developer9.1cpe:2.3:a:ibm:rational_business_developer:9.1:*:*:*:*:*:*:*
ibmrational_business_developer9.6cpe:2.3:a:ibm:rational_business_developer:9.6:*:*:*:*:*:*:*
ibmrational_business_developer9.7cpe:2.3:a:ibm:rational_business_developer:9.7:*:*:*:*:*:*:*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.1

Confidence

High

EPSS

0.002

Percentile

55.2%

Related for 941DA6946B94FEE5E79310CEA3C03EBD1C37FFCB3C608B3EF74E10D4784C7622