Security Bulletin: IBM Operational Decision Manager September 2023 - Multiple CVEs addressed

Summary

IBM Operational Decision Manager is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed.

Vulnerability Details

CVEID:CVE-2023-2253
**DESCRIPTION:**Distribution is vulnerable to a denial of service, caused by improper input validation by the /v2/_catalog endpoint. By sending a specially crafted /v2/_catalog API endpoint request request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254846 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-22006
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Networking component could allow a remote attacker to cause low integrity impacts.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261043 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-22036
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Utility component could allow a remote attacker to cause low availability impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261044 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-22041
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a local attacker to cause high confidentiality impacts.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261045 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-22045
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low confidentiality impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261047 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2023-22049
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow a remote attacker to cause low integrity impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261048 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

IBM Operational Decision Manager V8.10.5.1:
Interim fix 043 is available from IBM Fix Central:

• 8.10.5.1-WS-ODM_K8S-PPC64LE-IF043
• 8.10.5.1-WS-ODM_K8S-LIN_X86-IF043
• 8.10.5.1-WS-ODM_DC-IF043
• 8.10.5.1-WS-ODM_DS-IF043

IBM Operational Decision Manager V8.11.0.1:
Interim fix 023 is available from IBM Fix Central:

• 8.11.0.1-WS-ODM-IF023
• 8.11.0.1-WS-ODM_K8S-PPC64LE-IF023
• 8.11.0.1-WS-ODM_K8S-LIN_S390-IF023
• 8.11.0.1-WS-ODM_K8S-LIN_X86-IF023

IBM Operational Decision Manager V8.11.1:
Interim fix 012 is available:

• 8.11.1.0-WS-ODM-IF012:
  • IBM Fix Central Download link
• ODM Chart 22.2.12 based on ODM 8.11.1.0-IF012
  • ibm-odm-prod-22.2.12.tgz Helm Chart Download link
  • ibm-odm-prod-1.5.12 CASE Download link

IBM Operational Decision Manager V8.12.0:
Interim fix 004 is available:

• 8.12.0.0-WS-ODM-IF004:
  • IBM Fix Central Download link
• ODM Chart 23.1.4 based on ODM 8.12.0.0-IF004
  • ibm-odm-prod-23.1.4.tgz Helm Chart Download link
  • ibm-odm-prod-1.6.4 CASE Download link

Workarounds and Mitigations

None