Security Bulletin: Sterling Control Center v6.2.1 is vulnerable due to Apache ActiveMQ issue

Summary

Sterling Control Center v6.2.1 is dependent on Apache ActiveMQ, which is vulnerable to CVE-2023-46604.

Vulnerability Details

CVEID:CVE-2023-46604
**DESCRIPTION:**Apache ActiveMQ and ActiveMQ Legacy OpenWire Module could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the class types in the OpenWire protocol. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269795 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

Product

|

Version

|

Remediation

—|—|—

IBM Sterling Control Center

|

6.2.1.0 GA through iFix13

|

6.2.1.0 iFix13 Fix Central - 6.2.1.0

IBM Sterling Control Center

|

6.3.0.0 GA through iFix06

|

6.3.0.0 iFix06 Fix Central - 6.3.0.0

Workarounds and Mitigations

• In 6.2.1, Apache Active MQ version is upgraded to 5.16.7 which has the fix for the mentioned vulnerability.
• In 6.3.0, Apache Active MQ version is upgraded to 5.16.7 which has the fix for the mentioned vulnerability.
• Remediation Fix is also available with latest release of v6.3.1.0 and later as well.

Note: We encourage our customers with EOS v6.1.3.0 and v6.3.0.0 to upgrade to the latest release as they will not be receiving security patches.