Lucene search

K
ibmIBMC0FB1FFC7503F837D3B7602EA9FF0333F69944CF0D9734D3E7ACD77BF205F607
HistoryJul 20, 2022 - 7:35 p.m.

Security Bulletin: Security Vulnerabilities have been fixed in IBM Security Access Manager appliance (CVE-2022-24407, CVE-2020-25709, CVE-2020-25710)

2022-07-2019:35:53
www.ibm.com
26
ibm security access manager
sql injection
denial of service
vulnerabilities
fixes
isam
9.0

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.028 Low

EPSS

Percentile

90.7%

Summary

The IBM Security Access Manager virtual appliance has addressed the following vulnerabilities.

Vulnerability Details

CVEID:CVE-2022-24407
**DESCRIPTION:**Cyrus SASL is vulnerable to SQL injection. A remote authenticated attacker could send a specially-crafted SQL statements to view, add, modify or delete information in the back-end database.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220223 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2020-25709
**DESCRIPTION:**OpenLDAP is vulnerable to a denial of service, caused by an assertion failure in certificateListValidate function in servers/slapd/schema_init.c. By sending a specially crafted packet, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192486 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-25710
**DESCRIPTION:**OpenLDAP is vulnerable to a denial of service, caused by an assertion failure in csnNormalize23 function in servers/slapd/schema_init.c. By sending a specially crafted packet, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192487 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
ISAM 9.0

Remediation/Fixes

For the ISAM appliance

Affected Products and Versions

|

Fix availability

—|—

IBM Security Access Manager

|

9.0.7.2-ISS-ISAM-IF0004

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsecurity_access_manager_applianceMatch9.0.7.0
OR
ibmsecurity_access_manager_applianceMatch9.0.7.1
OR
ibmsecurity_access_manager_applianceMatch9.0.7.2

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.028 Low

EPSS

Percentile

90.7%