Lucene search

IBMA24875AE2A7AEA3C8B6E56E6E0BBD1C4B2A06150AEBAB76F119EA14C9A449F2F

HistoryMay 23, 2024 - 6:14 a.m.

Security Bulletin: Vulnerability in WebSphere Application Server Liberty affect IBM Operations Analytics - Log Analysis (CVE-2023-50312)

2024-05-2306:14:28

www.ibm.com

vulnerability

websphere application

ibm operations analytics

log analysis

cve-2023-50312

security bulletin

ibm

tls

upgrade

version 24.0.0.3

5.3 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

6.2 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Summary

WebSphere Application Server Liberty used by IBM Operations Analytics - Log Analysis is vulnerable to weak security.

Vulnerability Details

CVEID:CVE-2023-50312
**DESCRIPTION:**IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.2 could provide weaker than expected security for outbound TLS connections caused by a failure to honor user configuration. IBM X-Force ID: 274711.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/274711 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
Log Analysis	1.3.5.3
Log Analysis	1.3.6.0
Log Analysis	1.3.6.1
Log Analysis	1.3.7.0
Log Analysis	1.3.7.1
Log Analysis	1.3.7.2
Log Analysis	1.3.8.0
Log Analysis	1.3.8.1

Remediation/Fixes

Principal Product and Version(s)	Fix details
IBM Operations Analytics - Log Analysis version 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0 and 1.3.8.1

Upgrade the liberty version to WebSphere Application Server Liberty 24.0.0.3 (use wlp-core-all-24.0.0.3.jar) by following these steps.

Ref: Security Bulletin: IBM WebSphere Application Server Liberty could provide weaker than expected security (CVE-2023-50312)

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmsmartcloud_analytics_log_analysisMatch1.3.5.3

ibmsmartcloud_analytics_log_analysisMatch1.3.6.0

ibmsmartcloud_analytics_log_analysisMatch1.3.6.1

ibmsmartcloud_analytics_log_analysisMatch1.3.7.0

ibmsmartcloud_analytics_log_analysisMatch1.3.7.1

ibmsmartcloud_analytics_log_analysisMatch1.3.7.2

ibmsmartcloud_analytics_log_analysisMatch1.3.8.0

ibmsmartcloud_analytics_log_analysisMatch1.3.8.1

CPENameOperatorVersion
ibm smartcloud analyticseq1.3.5.3
ibm smartcloud analyticseq1.3.6.0
ibm smartcloud analyticseq1.3.6.1
ibm smartcloud analyticseq1.3.7.0
ibm smartcloud analyticseq1.3.7.1
ibm smartcloud analyticseq1.3.7.2
ibm smartcloud analyticseq1.3.8.0
ibm smartcloud analyticseq1.3.8.1

Name	Operator	Version
ibm smartcloud analytics	eq	1.3.5.3
ibm smartcloud analytics	eq	1.3.6.0
ibm smartcloud analytics	eq	1.3.6.1
ibm smartcloud analytics	eq	1.3.7.0
ibm smartcloud analytics	eq	1.3.7.1
ibm smartcloud analytics	eq	1.3.7.2
ibm smartcloud analytics	eq	1.3.8.0
ibm smartcloud analytics	eq	1.3.8.1