IBMBF1BC271EB345C0D787DEB35B8948F010FECE1C55A83ADAAD4F91F19D2CC5C1CSecurity Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
Summary
There are multiple vulnerabilities in components of IBM i Modernization Engine for Lifecycle Integration as described in the Vulnerability Details section. Golang html package is vulnerable to cross-site scripting (CVE-2023-3978). Golang Go is vulnerable to a denial of service (CVE-2023-45288). Golang autocert package could allow a remote attacker to traverse directories on the system (CVE-2022-30636). These components are used in IBM i Modernization Engine for Lifecycle Integration for infrastructure support in the platform. This bulletin identifies the steps to take to address the vulnerabilities as described in the remediation/fixes section.
Vulnerability Details
CVEID:CVE-2022-30636
**DESCRIPTION:**Golang autocert package could allow a remote attacker to traverse directories on the system, caused by a flaw in the the DirCache implementation. An attacker could send a specially crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/297843 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2023-3978
**DESCRIPTION:**Golang html package is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262415 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2023-45288
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a memory exhaustion flaw due to flood of CONTINUATION frames in the HTTP/2 protocol stack in the net/http and x/net/http2 packages. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286962 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM i Modernization Engine for Lifecycle Integration | 1.0 - 1.4.8 |
| IBM i Modernization Engine for Lifecycle Integration | 2.0 - 2.0.2 |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by upgrading.
| Product(s) | Version(s) | Remediation/Fix/Instructions |
|---|---|---|
| IBM i Modernization Engine for Lifecycle Integration | 1.0 - 1.4.8 | Follow instructions to download and install v1.4.9 |
| IBM i Modernization Engine for Lifecycle Integration | 2.0 - 2.0.1 | Follow instructions to download and install v2.0.2 |
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | ibm_i_modernization_engine_for_lifecycle_integration | * | cpe:2.3:a:ibm:ibm_i_modernization_engine_for_lifecycle_integration:*:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High