Lucene search

IBMC32BB27253CCAB6453552CD93B99F6E848F9D5796014B048855419CB5111E282

HistoryJun 03, 2024 - 9:18 a.m.

Security Bulletin: IBM Sterling Transformation Extender is vulnerable to multiple issues due to IBM Java

2024-06-0309:18:53

www.ibm.com

ibm sterling transformation extender

ibm sdk java technology

vulnerabilities

cve-2024-21094

cve-2024-21085

cve-2024-21011

cve-2023-38264

cve-2024-20952

cve-2024-20918

cve-2024-20921

cvss scores

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.7

Confidence

High

EPSS

0.002

Percentile

61.8%

JSON

Summary

IBM Sterling Transformation Extender uses IBM SDK, Java Technology. This bulletin identifies the steps to take to address the vulnerabilities.

Vulnerability Details

CVEID:CVE-2024-21094
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287959 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2024-21085
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288000 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2024-21011
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288020 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-38264
**DESCRIPTION:**The IBM SDK, Java Technology Edition’s Object Request Broker (ORB) 7.1.0.0 through 7.1.5.21 and 8.0.0.0 through 8.0.8.21 is vulnerable to a denial of service attack in some circumstances due to improper enforcement of the JEP 290 MaxRef and MaxDepth deserialization filters. IBM X-Force ID: 260578.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260578 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-20952
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279685 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2024-20918
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279718 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2024-20921
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279734 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-20919
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high integrity impact.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279785 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2024-20926
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Scripting component could allow a remote attacker to cause high confidentiality impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279716 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-20945
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a local authenticated attacker to cause high confidentiality impact.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279775 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-33850
**DESCRIPTION:**IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 257132.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257132 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Sterling Transformation Extender	10.1, 11.0

Remediation/Fixes

Affected Product(s)	Version(s)	APAR	Remediation
IBM Sterling Transformation Extender	10.1.0.2	PH61425	Link
IBM Sterling Transformation Extender	10.1.1.1	PH61425	Link
IBM Sterling Transformation Extender	10.1.2.1	PH61425	Link
IBM Sterling Transformation Extender	11.0.0.0	PH61425	Link

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmwebsphere_transformation_extenderMatch10.1.0.2

ibmwebsphere_transformation_extenderMatch10.1.1.1

ibmwebsphere_transformation_extenderMatch10.1.2.1

ibmwebsphere_transformation_extenderMatch11.0.0.0

VendorProductVersionCPE
ibmwebsphere_transformation_extender10.1.0.2cpe:2.3:a:ibm:websphere_transformation_extender:10.1.0.2:*:*:*:*:*:*:*
ibmwebsphere_transformation_extender10.1.1.1cpe:2.3:a:ibm:websphere_transformation_extender:10.1.1.1:*:*:*:*:*:*:*
ibmwebsphere_transformation_extender10.1.2.1cpe:2.3:a:ibm:websphere_transformation_extender:10.1.2.1:*:*:*:*:*:*:*
ibmwebsphere_transformation_extender11.0.0.0cpe:2.3:a:ibm:websphere_transformation_extender:11.0.0.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	websphere_transformation_extender	10.1.0.2	cpe:2.3:a:ibm:websphere_transformation_extender:10.1.0.2:::::::*
ibm	websphere_transformation_extender	10.1.1.1	cpe:2.3:a:ibm:websphere_transformation_extender:10.1.1.1:::::::*
ibm	websphere_transformation_extender	10.1.2.1	cpe:2.3:a:ibm:websphere_transformation_extender:10.1.2.1:::::::*
ibm	websphere_transformation_extender	11.0.0.0	cpe:2.3:a:ibm:websphere_transformation_extender:11.0.0.0:::::::*