Lucene search

K
ibmIBM9BD22177E1306AA6D0824268E41B4A318B4A76BA0E66439040A86C0502F013BE
HistoryApr 05, 2024 - 11:18 a.m.

Security Bulletin: IBM Integration Bus for z/OS is vulnerable to a denial of service due to Apache Tomcat (CVE-2024-24549, CVE-2024-23672)

2024-04-0511:18:36
www.ibm.com
10
ibm integration bus
z/os
denial of service
apache tomcat
vulnerability
cve-2024-24549
cve-2024-23672
fix
ph60555.

0.0004 Low

EPSS

Percentile

15.3%

Summary

IBM Integration Bus for z/OS is vulnerable to a denial of service due to Apache Tomcat. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2024-24549
**DESCRIPTION:**Apache Tomcat is vulnerable to a denial of service, caused by improper input validation by the HTTP/2 header. By sending specially crafted HTTP/2 requests, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285497 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-23672
**DESCRIPTION:**Apache Tomcat is vulnerable to a denial of service, caused by an incomplete cleanup flaw. By sending specially crafted WebSocket connections, a remote attacker could exploit this vulnerability to increased resource consumption, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285496 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)

IBM Integration Bus for z/OS

|

10.1 - 10.1.0.3

Remediation/Fixes

**IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM Integration Bus for z/OS **

Affected Product(s)

|

Version(s)

|

APAR

|

Remediation / Fixes

—|—|—|—

IBM Integration Bus for z/OS

|

10.1 - 10.1.0.3

| PH60555| Interim fix for APAR (PH60555) is available to apply to 10.1.0.3 from
IBM Fix Central

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmintegration_busRange10.1
OR
ibmintegration_busRange10.1.0.3