Security Bulletin: Multiple Vulnerabilities in IBM Security Guardium Key Lifecycle Manager (CVE-2023-25921, CVE-2023-25926, CVE-2023-25685, CVE-2023-25922, CVE-2023-25925)

Summary

There are multiple vulnerabilities identified in IBM Security Guardium Key Lifecycle Manager. These vulnerabilties have been fixed in IBM Security Guardium Key Lifecycle Manager v4.2 and v4.1.1.7. Please upgrade to GKLM v4.2 or apply the latest fix packs (4.1.1 FP 7) for the fixes.

Vulnerability Details

CVEID:CVE-2023-25921
**DESCRIPTION:**IBM Security Guardium Key Lifecycle Manager allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.
CVSS Base score: 8.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247620 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVEID:CVE-2023-25926
**DESCRIPTION:**IBM Security Guardium Key Lifecycle Manager could allow a local privileged user to escalate their privileges to a higher level of access.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247633 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-25685
**DESCRIPTION:**IBM Security Guardium Key Lifecycle Manager is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247599 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H)

CVEID:CVE-2023-25922
**DESCRIPTION:**IBM Security Guardium Key Lifecycle Manager allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247621 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-25925
**DESCRIPTION:**IBM Security Guardium Key Lifecycle Manager could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.
CVSS Base score: 8.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247632 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

1. GKLM users (who are on GKLM version 3.0, 3.0.1, 4.0, 4.1) can either -

i. Upgrade to GKLM 4.1.1 and then apply 4.1.1-ISS-SKLM-FP0007

Or

ii. Upgrade to GKLMv4.2

2. GKLM users (who are on GKLM version 4.1.1.x) can either -

i. Apply 4.1.1-ISS-SKLM-FP0007

Or

ii. Upgrade to GKLMv4.2

3. New GKLM users can directly install GKLMv4.2

Workarounds and Mitigations

None