Lucene search

K
ibmIBMD0D36BA3662696B91072CE7DE5FC15E58E09FF969D239C95A99D5C860F71DE50
HistoryMay 23, 2024 - 3:35 p.m.

Security Bulletin: Vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2024-22259, CVE-2024-22243, CVE-2024-22262).

2024-05-2315:35:34
www.ibm.com
7
spring framework
ibm tivoli
application dependency discovery manager
upgrade
vulnerability
phishing
open redirect
cve-2024-22262
cve-2024-22243
cve-2024-22259
security bulletin
fix
efix
taddm 7.3.0.9

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

7.2 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

Summary

Vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager ((CVE-2024-22259, CVE-2024-22243, CVE-2024-22262). IBM has addressed the vulnerabilities.

Vulnerability Details

CVEID:CVE-2024-22262
**DESCRIPTION:**VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in UriComponentsBuilder. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287586 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

CVEID:CVE-2024-22243
**DESCRIPTION:**VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability when using UriComponentsBuilder to parse an externally provided URL. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283965 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)

CVEID:CVE-2024-22259
**DESCRIPTION:**VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in UriComponentsBuilder. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285631 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 - 7.3.0.11

Remediation/Fixes

In order to fix these vulnerabilities, Spring is to be upgraded to 5.3.34 version. The efix to resolve these vulnerabilities can only be applied to TADDM version 7.3.0.9 or later versions as per below given detailed steps. For customer at older TADDM Fixpack level (i.e., 7.3.0.8 or older), they need to first upgrade their TADDM environment to TADDM 7.3.0.9 level and then follow the step given below.

Detailed steps:

For TADDM 7.3.0.9 & Above, check if there is any previously applied eFixes in their TADDM environment.

  1. If there is no prior efixes(ls -rlt etc/efix*) applied in their TADDM, then download the efix given in Table-1and apply the efix.
  2. If there are existing efixes on TADDM (ls -rlt etc/efix*), please contact IBM Support and open a case for a custom version of the eFix as the efix involves TADDM code changes. Include the current eFix level (ls -rlt etc/efix*), TADDM version and a link to this bulletin in the Support Case

For any other TADDM fixpack level (i.e., 7.3.0.8 or older), to apply this bulletin, upgrade to TADDM 7.3.0.9 and then follow procedure as mentioned above for TADDM 7.3.0.9 & above .

Table-1

Fix|

VRMF

| APAR|How to acquire fix
—|—|—|—
efix_spring5_5.3.34_FP9211123.zip|

7.3.0.9

| None| Download eFix
efix_spring5_5.3.34_FP10221123.zip|

7.3.0.10

| None| Download eFix
efix_spring5_5.3.34_FP11230825.zip|

7.3.0.11

| None| Download eFix

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmtivoli_application_dependency_discovery_managerMatch7.3.0.0
OR
ibmtivoli_application_dependency_discovery_managerMatch7.3.0.8

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

7.2 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%