Lucene search

K
ibmIBM94CD01B78416FA7E47FFE5308FBA0D128CFBC51E05AAF39248095A77DD22CA28
HistoryMay 24, 2024 - 3:15 p.m.

Security Bulletin: IBM Tivoli Application Dependency Discovery Manager is vulnerable to server-side request forgery due to Apache CXF

2024-05-2415:15:10
www.ibm.com
15
ibm tivoli application dependency discovery manager
server-side request forgery
apache cxf
cve-2024-28752
e-fix
ssrf attack
soap api
rest api
upgrade fix

CVSS3

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

AI Score

9

Confidence

High

EPSS

0.001

Percentile

26.4%

Summary

This security bulletin addresses the vulnerabilitiy in Open Source Apache CXF that affect IBM Tivoli Application Dependency Discovery Manager (CVE-2024-28752). IBM Tivoli Application Dependency Discovery Manager is using Apache CXF for its SOAP API and REST API implementation.

Vulnerability Details

**CVEID:**CVE-2024-28752 DESCRIPTION: Apache CXF is vulnerable to server-side request forgery, caused by a flaw when using the Aegis DataBinding. By using a specially crafted argument, an attacker could exploit this vulnerability to conduct SSRF attack.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285581 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 - 7.3.0.11

Remediation/Fixes

For TADDM 7.3.0.8,7.3.0.9,7.3.0.10 and 7.3.0.11 : The e-Fix in the table below can be downloaded and applied directly.

For TADDM 7.3.0.0 - 7.3.0.7 : Please upgrade your TADDM environment to later versions (preferably 7.3.0.11) and apply the e-Fix in the table below.

Fix VRMF APAR How to acquire fix
efix_CVE-2024-28752_FP11230825.zip 7.3.0.8-7.3.0.11 None Download eFix

Workarounds and Mitigations

For customers on TADDM 7.3.0.0 or 7.3.0.7, recommendation is to upgrade to the latest version and then apply the e-fix directly.

Affected configurations

Vulners
Node
ibmtivoli_application_dependency_discovery_managerMatch7.3.0.0
OR
ibmtivoli_application_dependency_discovery_managerMatch7.3.0.8
VendorProductVersionCPE
ibmtivoli_application_dependency_discovery_manager7.3.0.0cpe:2.3:a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.0:*:*:*:*:*:*:*
ibmtivoli_application_dependency_discovery_manager7.3.0.8cpe:2.3:a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.8:*:*:*:*:*:*:*

CVSS3

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

AI Score

9

Confidence

High

EPSS

0.001

Percentile

26.4%

Related for 94CD01B78416FA7E47FFE5308FBA0D128CFBC51E05AAF39248095A77DD22CA28