Lucene search

K
ibmIBMB3BF4E660C1198E4641071ADF1F54C2AB5FF0D3FF666F9521E9A7FE1273F11B6
HistoryFeb 19, 2024 - 8:12 a.m.

Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to buffer overflow due to PostgreSQL (CVE-2023-5869)

2024-02-1908:12:20
www.ibm.com
20
ibm sterling connect:direct web service
postgresql
buffer overflow
vulnerability
upgrade
fix central

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.015

Percentile

86.7%

Summary

IBM Connect:Direct Web Services uses PostgreSQL. This bulletin identifies the steps to take to address the vulnerabilities.

Vulnerability Details

**CVEID:**CVE-2023-5869 DESCRIPTION: PostgreSQL is vulnerable to a buffer overflow, caused by improper bounds checking by the SQL array values. By sending a specially crafted request, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271226 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Sterling Connect:Direct Web Services 6.3.0
IBM Sterling Connect:Direct Web Services 6.1.0
IBM Sterling Connect:Direct Web Services 6.2.0
IBM Connect:Direct Web Services 6.0

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading …

Product(s)|Version(s)|**Remediation
**
—|—|—
IBM Sterling Connect:Direct Web Services| 6.1| Apply 6.1.0.23, available on Fix Central
IBM Sterling Connect:Direct Web Services| 6.2| Apply 6.2.0.22, available on Fix Central
IBM Sterling Connect:Direct Web Services| 6.3| Apply 6.3.0.6, available on Fix Central
IBM Sterling Connect:Direct Web Services| 6.0| Upgrade to 6.1.0.23, 6.2.0.22, or 6.3.0.6

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsterling_connect\Matchdirect6.1
VendorProductVersionCPE
ibmsterling_connect\directcpe:2.3:a:ibm:sterling_connect\:direct:6.1:*:*:*:*:*:*:*

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.015

Percentile

86.7%