Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMB431FC9A2586C14A41C6CC8B7548DCF5E4CCC240ACD75F921F4108C8790757A9
HistoryApr 04, 2024 - 6:41 p.m.

Security Bulletin: Multiple vulnerabilities in IBM Java, OpenSSL, and libcurl may affect IBM Storage Protect for Virtual Environments: Data Protection for VMware

2024-04-0418:41:20
www.ibm.com
8
ibm
storage protect
virtual environments
data protection
vmware
multiple vulnerabilities
java
openssl
libcurl
denial of service
bypass security
confidentiality
integrity
sensitive information disclosure

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

10 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

66.1%

JSON

Summary

IBM Storage Protect for Virtual Environments: Data Protection for VMware can be affected by security flaws in IBM Java, OpenSSL, and libcurl. The flaws can lead to denial of service, bypass security restrictions, confidentiality impact, integrity impact, availability impact, and sensitive information disclosure, as described in the “Vulnerability Details” section.

Vulnerability Details

CVEID:CVE-2023-1255
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a flaw in the AES-XTS cipher decryption implementation for 64 bit ARM platform. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253370 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2024-20952
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279685 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2024-20918
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279718 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2024-20921
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279734 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-20919
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high integrity impact.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279785 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2024-20926
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Scripting component could allow a remote attacker to cause high confidentiality impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279716 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-20945
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a local authenticated attacker to cause high confidentiality impact.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279775 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-33850
**DESCRIPTION:**IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 257132.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257132 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-22081
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow a remote attacker to cause no confidentiality impact, no integrity impact, and low availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268929 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-22067
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the CORBA component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268928 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-5676
**DESCRIPTION:**Eclipse OpenJ9 is vulnerable to a denial of service, caused by a flaw when a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause an infinite busy hang on a spinlock or a segmentation fault.
CVSS Base score: 4.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271615 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-27781
**DESCRIPTION:**cURL libcurl is vulnerable to a denial of service, caused by a flaw in the CURLOPT_CERTINFO option. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause a never ending busy-loop when trying to retrieve certificate chain information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226251 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-0464
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by an error related to the verification of X.509 certificate chains that include policy constraints. By creating a specially crafted certificate chain that triggers exponential use of computational resources, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250736 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-0465
**DESCRIPTION:**OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw when using a non-default option to verify certificates. By using invalid certificate policies in leaf certificates, an attacker could exploit this vulnerability to bypass policy checking.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251293 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-22045
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low confidentiality impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261047 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2023-22049
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow a remote attacker to cause low integrity impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-0466
**DESCRIPTION:**OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw in the X509_VERIFY_PARAM_add0_policy function. By using invalid certificate policies, an attacker could exploit this vulnerability to bypass certificate verification.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251307 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-2650
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a flaw when using OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256611 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Storage Protect for Virtual Environments: Data Protection for VMware 8.1.0.0 - 8.1.21.0

Remediation/Fixes

IBM strongly recommends addressing the vulnerabilities now by upgrading.

Product Fixing level Platforms Link to fix and instructions
IBM Storage Protect for Virtual Environments: Data Protection for VMware 8.1.22.0 Linux
Windows Download Information: IBM Storage Protect for Virtual Environments 8.1.22

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmspectrum_protect_for_virtual_environmentsMatch8.1

Related

ibm 55
cloudlinux 1
nessus 57
openvas 25
debian 3
ubuntu 3
osv 12
redhat 24
centos 2
aix 1
oraclelinux 6
almalinux 5
amazon 1
mageia 1
fedora 1
atlassian 2
ibm
ibm
Security Bulletin: Multiple vulnerabilities in IBM Java, OpenSSL, and libcurl may affect IBM Storage Protect Backup-Archive Client
2024-04-04 18:40:44
Security Bulletin: Multiple vulnerabilities in IBM Java, OpenSSL, and libcurl may affect IBM Storage Protect for Virtual Environments: Data Protection for Microsoft Hyper-V
2024-04-04 18:41:01
Security Bulletin: Multiple vulnerabilities in IBM Java may affect IBM Storage Protect for Space Management
2024-06-21 07:32:47
cloudlinux
cloudlinux
java-1.8.0-openjdk: Fix of 8 CVEs
2024-01-31 10:50:31
nessus
nessus
openSUSE 15 Security Update : java-1_8_0-openj9 (SUSE-SU-2024:0479-1)
2024-02-17 00:00:00
Amazon Linux 2023 : java-1.8.0-amazon-corretto, java-1.8.0-amazon-corretto-devel (ALAS2023-2024-486)
2024-01-23 00:00:00
AlmaLinux 9 : java-1.8.0-openjdk (ALSA-2024:0265)
2024-01-20 00:00:00
openvas
openvas
openSUSE: Security Advisory for java (SUSE-SU-2024:0479-1)
2024-03-04 00:00:00
Ubuntu: Security Advisory (USN-6696-1)
2024-03-18 00:00:00
SUSE: Security Advisory (SUSE-SU-2024:0847-1)
2024-05-07 00:00:00
debian
debian
[SECURITY] [DLA 3728-1] openjdk-11 security update
2024-01-31 15:32:31
[SECURITY] [DSA 5604-1] openjdk-11 security update
2024-01-23 21:54:17
[SECURITY] [DSA 5613-1] openjdk-17 security update
2024-02-01 22:40:03
ubuntu
ubuntu
OpenJDK 8 vulnerabilities
2024-03-18 00:00:00
OpenJDK 11 vulnerabilities
2024-02-27 00:00:00
OpenJDK 21 vulnerabilities
2024-02-27 00:00:00
osv
osv
Important: java-11-openjdk security update
2024-01-18 00:00:00
openjdk-lts vulnerabilities
2024-02-27 02:36:42
openjdk-8 vulnerabilities
2024-03-18 04:06:20
redhat
redhat
(RHSA-2024:0224) Important: java-1.8.0-openjdk security and bug fix update
2024-01-17 15:22:22
(RHSA-2024:0226) Important: java-1.8.0-openjdk security and bug fix update
2024-01-17 15:24:39
(RHSA-2024:0228) Important: java-1.8.0-openjdk security update
2024-01-17 16:41:40
centos
centos
java security update
2024-01-26 18:12:38
java security update
2024-01-26 18:11:41
aix
aix
Multiple vulnerabilities in IBM Java SDK affect AIX
2024-03-07 15:16:48
oraclelinux
oraclelinux
java-11-openjdk security update
2024-01-17 00:00:00
java-11-openjdk security update
2024-01-23 00:00:00
java-1.8.0-openjdk security and bug fix update
2024-01-23 00:00:00
almalinux
almalinux
Important: java-11-openjdk security update
2024-01-18 00:00:00
Important: java-1.8.0-openjdk security and bug fix update
2024-01-17 00:00:00
Important: java-21-openjdk security update
2024-01-17 00:00:00
amazon
amazon
Important: java-1.8.0-openjdk
2024-02-01 19:57:00
mageia
mageia
Updated java 1.8.0, 11 & latest packages fix security vulnerabilities
2024-03-15 05:49:05
fedora
fedora
[SECURITY] Fedora 37 Update: openssl-3.0.9-1.fc37
2023-06-04 01:24:09
atlassian
atlassian
Bundled JRE in Bitbucket 8.0+ is vulnerable to OpenJDK vulnerabilities CVE-2024-20918, CVE-2024-20919
2024-05-23 06:45:36
Bundled JRE in Bitbucket 8.16+ is vulnerable to OpenJDK vulnerabilities CVE-2024-20918, CVE-2024-20919
2024-04-22 06:45:05

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

10 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

66.1%

JSON
Related for B431FC9A2586C14A41C6CC8B7548DCF5E4CCC240ACD75F921F4108C8790757A9
ibm55cloudlinux1nessus57openvas25debian3ubuntu3osv12redhat24centos2aix1oraclelinux6almalinux5amazon1mageia1fedora1atlassian2