Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMA32AA32343CE4F04C725E2D3268C726E9F9E09B5F8D2130ED2BAAF1662919E83
HistoryJan 11, 2024 - 4:30 p.m.

Security Bulletin: IBM Cognos Command Center has addressed vulnerabilities in IBM® Semeru Java™ Version 11 and Eclipse Jetty

2024-01-1116:30:44
www.ibm.com
6
ibm cognos command center
ibm semeru java
eclipse jetty
cve-2023-22049
cve-2023-22036
cve-2023-44487
cve-2023-41900
cve-2023-40167
cve-2023-36479

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

8 High

AI Score

Confidence

High

0.732 High

EPSS

Percentile

98.1%

JSON

Summary

There are vulnerabilities in IBM® Semeru Java™ Version 11 and Eclipse Jetty used by IBM Cognos Command Center. IBM Cognos Command Center 10.2.5 has addressed the applicable CVEs by upgrading to IBM® Semeru JRE 11.0.20.0 (CVE-2023-22049, CVE-2023-22036) and Eclipse Jetty 10.0.17 (CVE-2023-40167, CVE-2023-36479, CVE-2023-44487 CVE-2023-41900, CVE-2023-36478). Please refer to the table in the Related Information section for vulnerability impact.

Vulnerability Details

CVEID:CVE-2023-22049
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow a remote attacker to cause low integrity impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-22036
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Utility component could allow a remote attacker to cause low availability impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261044 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-44487
**DESCRIPTION:**Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. By sending numerous HTTP/2 requests and RST_STREAM frames over multiple streams, a remote attacker could exploit this vulnerability to cause a denial of service due to server resource consumption.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268044 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-41900
**DESCRIPTION:**Eclipse Jetty could allow a remote authenticated attacker to bypass security restrictions, caused by improper authentication validation when using the optional nested LoginService. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 3.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266185 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N)

CVEID:CVE-2023-40167
**DESCRIPTION:**Jetty is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP/1 request header. By sending a specially crafted request, a remote attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-36479
**DESCRIPTION:**Eclipse Jetty could provide weaker than expected security, caused by an errant command quoting flaw in the org.eclipse.jetty.servlets.CGI Servlet. A remote authenticated attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 3.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266435 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N)

CVEID:CVE-2023-36478
**DESCRIPTION:**Eclipse Jetty is vulnerable to a denial of service, caused by an integer overflow and buffer allocation in MetaDataBuilder.checkSize. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268413 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cognos Command Center 10.2.4.1

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

Affected Product(s) Version Fix
IBM Cognos Command Center 10.2.5 IBM® Cognos® Command Center® 10.2.5 available for download

IBM Cognos Command Center Cloud environments have been updated.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmcognos_command_centerMatch10.2.4.1
CPENameOperatorVersion
ibm cognos command centereq10.2.4.1

Related

openvas 15
ibm 54
nessus 24
osv 16
debian 5
freebsd 1
redhat 10
redos 2
amazon 2
prion 6
cve 6
ubuntucve 6
redhatcve 6
nvd 6
debiancve 6
github 4
atlassian 3
veracode 6
cvelist 6
cgr 3
wolfi 3
f5 2
alpinelinux 3
almalinux 2
oraclelinux 2
openvas
openvas
openSUSE: Security Advisory for jetty (SUSE-SU-2023:4210-1)
2024-03-04 00:00:00
SUSE: Security Advisory (SUSE-SU-2023:4210-1)
2023-10-27 00:00:00
Debian: Security Advisory (DSA-5507-1)
2023-09-29 00:00:00
ibm
ibm
Security Bulletin: IBM Sterling Connect:Direct for UNIX is vulnerable to multiple issues due to Eclipse Jetty.
2024-01-25 22:15:26
Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to multiple issues due to Eclipse Jetty
2024-01-16 18:00:22
Security Bulletin: IBM Storage Protect Server is vulnerable to various attacks due to Eclipse Jetty (CVE-2023-40167, CVE-2023-41900, CVE-2023-36479, CVE-2023-36478)
2023-12-15 16:30:18
nessus
nessus
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : jetty-minimal (SUSE-SU-2023:4210-1)
2023-10-27 00:00:00
Debian DSA-5507-1 : jetty9 - security update
2023-09-29 00:00:00
Debian DSA-5540-1 : jetty9 - security update
2023-10-31 00:00:00
osv
osv
jetty9 - security update
2023-09-28 00:00:00
jetty9 - security update
2023-10-30 00:00:00
jetty9 - security update
2023-10-30 00:00:00
debian
debian
[SECURITY] [DSA 5507-1] jetty9 security update
2023-09-28 22:37:26
[SECURITY] [DSA 5540-1] jetty9 security update
2023-10-30 19:52:02
[SECURITY] [DLA 3592-1] jetty9 security update
2023-09-30 12:35:53
freebsd
freebsd
jenkins -- HTTP/2 denial of service vulnerability in bundled Jetty
2023-10-18 00:00:00
redhat
redhat
(RHSA-2023:5780) Important: Red Hat Integration Camel Extensions for Quarkus 2.13.3 security update
2023-10-17 11:41:34
(RHSA-2023:7247) Critical: Red Hat Fuse 7.12.1 release and security update
2023-11-15 17:06:12
(RHSA-2023:5946) Important: Red Hat AMQ Broker 7.11.3 release and security update
2023-10-19 18:59:57
redos
redos
ROS-20240409-12
2024-04-09 00:00:00
ROS-20240403-13
2024-04-03 00:00:00
amazon
amazon
Medium: jetty
2024-01-03 21:04:00
Medium: jetty
2024-02-15 03:52:00
prion
prion
Design/Logic Flaw
2023-09-15 19:15:00
Authentication flaw
2023-09-15 21:15:00
Design/Logic Flaw
2023-09-15 20:15:00
cve
cve
CVE-2023-36479
2023-09-15 19:15:08
CVE-2023-36478
2023-10-10 17:15:11
CVE-2023-41900
2023-09-15 21:15:11
ubuntucve
ubuntucve
CVE-2023-41900
2023-09-15 00:00:00
CVE-2023-36478
2023-10-10 00:00:00
CVE-2023-36479
2023-09-15 00:00:00
redhatcve
redhatcve
CVE-2023-41900
2023-10-30 19:43:13
CVE-2023-36479
2023-09-22 20:24:51
CVE-2023-22036
2023-07-19 13:43:42
nvd
nvd
CVE-2023-40167
2023-09-15 20:15:09
CVE-2023-36478
2023-10-10 17:15:11
CVE-2023-36479
2023-09-15 19:15:08
debiancve
debiancve
CVE-2023-40167
2023-09-15 20:15:09
CVE-2023-36478
2023-10-10 17:15:11
CVE-2023-36479
2023-09-15 19:15:08
github
github
Jetty vulnerable to errant command quoting in CGI Servlet
2023-09-14 16:16:00
Jetty accepts "+" prefixed value in Content-Length
2023-09-14 16:17:27
HTTP/2 HPACK integer overflow and buffer allocation
2023-10-10 21:16:23
atlassian
atlassian
DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Confluence Data Center and Server
2024-03-07 02:45:51
DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bitbucket Data Center and Server
2023-12-14 07:45:23
DoS (Denial of Service) org.eclipse.jetty:jetty-http Dependency in Bamboo Data Center and Server
2023-12-19 10:45:37
veracode
veracode
Arbitrary Code Execution
2023-09-20 10:17:36
Denial Of Service (DoS)
2023-10-12 05:13:43
Weak Authentication
2023-09-20 08:38:31
cvelist
cvelist
CVE-2023-36479 Jetty vulnerable to errant command quoting in CGI Servlet
2023-09-15 18:37:35
CVE-2023-41900 Jetty's OpenId Revoked authentication allows one request
2023-09-15 20:17:42
CVE-2023-40167 Jetty accepts "+" prefixed value in Content-Length
2023-09-15 19:37:37
cgr
cgr
CVE-2023-41900 vulnerabilities
2024-05-19 03:07:16
CVE-2023-40167 vulnerabilities
2024-05-19 03:07:16
CVE-2023-36479 vulnerabilities
2024-05-19 03:07:16
wolfi
wolfi
CVE-2023-41900 vulnerabilities
2024-06-29 03:08:33
CVE-2023-40167 vulnerabilities
2024-06-29 03:08:33
CVE-2023-36479 vulnerabilities
2024-06-29 03:08:33
f5
f5
K000135626 : Oracle Java vulnerability CVE-2023-22036
2023-07-27 00:00:00
K000135637 : Java vulnerability CVE-2023-22049
2023-07-27 00:00:00
alpinelinux
alpinelinux
CVE-2023-36478
2023-10-10 17:15:11
CVE-2023-22036
2023-07-18 21:15:13
CVE-2023-22049
2023-07-18 21:15:14
almalinux
almalinux
Moderate: java-11-openjdk security and bug fix update
2023-07-20 00:00:00
Moderate: java-11-openjdk security and bug fix update
2023-07-20 00:00:00
oraclelinux
oraclelinux
java-11-openjdk security and bug fix update
2023-07-28 00:00:00
java-11-openjdk security and bug fix update
2023-07-21 00:00:00

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

8 High

AI Score

Confidence

High

0.732 High

EPSS

Percentile

98.1%

JSON
Related for A32AA32343CE4F04C725E2D3268C726E9F9E09B5F8D2130ED2BAAF1662919E83
openvas15ibm54nessus24osv16debian5freebsd1redhat10redos2amazon2prion6cve6ubuntucve6redhatcve6nvd6debiancve6github4atlassian3veracode6cvelist6cgr3wolfi3f52alpinelinux3almalinux2oraclelinux2