Lucene search

IBMA03B697942B14526D8CF174CC46C4E21D9E64F083EAB54EF4CF402FBEEB58AFC

HistoryFeb 27, 2024 - 4:18 p.m.

Security Bulletin: Logback is vulnerable to CVE-2023-6481 and CVE-2023-6378 used in IBM Maximo Application Suite - Monitor Component

2024-02-2716:18:32

www.ibm.com

ibm maximo

logback

vulnerability

denial of service

serialization

fixpack

update .

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

8.5

Confidence

High

EPSS

0.001

Percentile

17.0%

JSON

Summary

IBM Maximo Application Suite - Monitor Component uses logback which is vulnerable to CVE-2023-6481 and CVE-2023-6378. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2023-6481
**DESCRIPTION:**QOS.ch Sarl Logback is vulnerable to a denial of service, caused by a serialization flaw in the logback receiver component. By sending a specially crafted data, a local attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/273013 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

CVEID:CVE-2023-6378
**DESCRIPTION:**QOS.ch Sarl Logback is vulnerable to a denial of service, caused by a serialization flaw in the receiver component. By sending specially crafted poisoned data, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/272577 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Maximo Application Suite - Monitor Component	8.11
IBM Maximo Application Suite - Monitor Component	8.10

Remediation/Fixes

Affected Product(s)	Fixpack Version(s)
IBM Maximo Application Suite - Monitor Component	8.11.4 or latest (available from the Catalog under Update Available)
IBM Maximo Application Suite - Monitor Component	8.10.7 or latest (available from the Catalog under Update Available)

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmmaximo_application_suiteMatch8.11

ibmmaximo_application_suiteMatch8.10

VendorProductVersionCPE
ibmmaximo_application_suite8.11cpe:2.3:a:ibm:maximo_application_suite:8.11:*:*:*:*:*:*:*
ibmmaximo_application_suite8.10cpe:2.3:a:ibm:maximo_application_suite:8.10:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	maximo_application_suite	8.11	cpe:2.3:a:ibm:maximo_application_suite:8.11:::::::*
ibm	maximo_application_suite	8.10	cpe:2.3:a:ibm:maximo_application_suite:8.10:::::::*