Lucene search

K
ibmIBMA56B7719DCCAFE422ABE3A154CF5DB3BD1127529667EE3CC9FA5F031DF9E38F7
HistoryApr 18, 2024 - 3:34 p.m.

Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Workload Automation.

2024-04-1815:34:44
www.ibm.com
21
ibm workload automation
openssl
vulnerabilities
denial of service
bypass security restrictions
certificate verification
x.509
apar
upgrade

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.1

Confidence

High

EPSS

0.004

Percentile

74.4%

Summary

IBM Workload Automation has updated OpenSSL to address multiple vulnerabilities. (CVE-2023-2650, CVE-2023-0464, CVE-2023-0466, CVE-2023-0465).

Vulnerability Details

**CVEID:**CVE-2023-2650 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a flaw when using OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256611 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2023-0464 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error related to the verification of X.509 certificate chains that include policy constraints. By creating a specially crafted certificate chain that triggers exponential use of computational resources, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250736 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2023-0466 DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw in the X509_VERIFY_PARAM_add0_policy function. By using invalid certificate policies, an attacker could exploit this vulnerability to bypass certificate verification.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251307 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**CVE-2023-0465 DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw when using a non-default option to verify certificates. By using invalid certificate policies in leaf certificates, an attacker could exploit this vulnerability to bypass policy checking.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251293 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Workload Automation 9.5 to 9.5.0.6 Security 2023.03
IBM Workload Automation 10.1 to 10.1.0.3

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading IBM Workload Automation.

APAR IJ50709 has been opened to address the OpenSSL vulnerability for IBM Workload Automation.
APAR IJ50709 has been included in 9.5.0.7 and 10.1.0.4 versions, available on Fix Central.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmworkload_schedulerMatch9.5
OR
ibmworkload_schedulerMatch10.1
VendorProductVersionCPE
ibmworkload_scheduler9.5cpe:2.3:a:ibm:workload_scheduler:9.5:*:*:*:*:*:*:*
ibmworkload_scheduler10.1cpe:2.3:a:ibm:workload_scheduler:10.1:*:*:*:*:*:*:*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.1

Confidence

High

EPSS

0.004

Percentile

74.4%