Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMD293ED5275E05C0913AB49BE90C6EBD2605C4B8BF5FC696664738E061ACF0338
HistorySep 16, 2023 - 12:18 a.m.

Security Bulletin: Vulnerabilities in Apache Struts library affect Tivoli Netcool/OMNIbus WebGUI

2023-09-1600:18:13
www.ibm.com
15
apache struts
vulnerabilities
tivoli netcool/omnibus
webgui
denial of service
cve-2023-34396
cve-2023-34149
fix pack 32
ibm
multipart request

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.018

Percentile

88.4%

JSON

Summary

Apache Struts is used by Tivoli Netcool/OMNIbus WebGUI as part of its web client component (CVE-2023-34149, CVE-2023-34396)

Vulnerability Details

CVEID:CVE-2023-34396
**DESCRIPTION:**Apache Struts is vulnerable to a denial of service, caused by a flaw when processing Multipart request containing non-file normal form fields. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257946 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-34149
**DESCRIPTION:**Apache Struts is vulnerable to a denial of service, caused by a flaw with only handling setProperty() but not getProperty(). By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257947 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 FP31 and earlier

Remediation/Fixes

Product VRMF APAR Remediation/First Fix
Tivoli Netcool/OMNIbus WebGUI 8.1.0 KT52531 Apply Fix Pack 32 (Fix Pack for WebGUI 8.1.0 Fix Pack 32)

Workarounds and Mitigations

Upgrade to WebGUI 8.1.0 Fix Pack 32.

Affected configurations

Vulners
Node
ibmtivoli_netcool\/omnibusMatch8.1.0
VendorProductVersionCPE
ibmtivoli_netcool\/omnibus8.1.0cpe:2.3:a:ibm:tivoli_netcool\/omnibus:8.1.0:*:*:*:*:*:*:*

Related

ibm 11
osv 4
github 2
veracode 2
ubuntucve 2
nessus 4
cnvd 2
openvas 2
f5 2
atlassian 2
prion 2
cvelist 2
nvd 2
cve 2
oracle 1
ibm
ibm
Security Bulletin: Apache Struts Vulerability Affects IBM eDiscovery Manager (CVE-2023-34149, CVE-2023-34396)
2023-07-12 10:01:37
Security Bulletin: Due to use of Apache Struts, IBM Sterling File Gateway is affected by denial of service vulnerabilities (CVE-2023-34149, CVE-2023-34396)
2024-02-22 16:27:25
Security Bulletin: Vulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager. (CVE-2023-34396, CVE-2023-34149)
2023-07-04 13:04:55
osv
osv
CVE-2023-34396
2023-06-14 08:15:09
Apache Struts vulnerable to memory exhaustion
2023-06-14 09:30:42
CVE-2023-34149
2023-06-14 08:15:09
github
github
Apache Struts vulnerable to memory exhaustion
2023-06-14 09:30:42
Apache Struts vulnerable to memory exhaustion
2023-06-14 09:30:42
veracode
veracode
Denial Of Service (DoS)
2023-06-15 16:44:06
Denial Of Service (DoS)
2023-06-15 17:33:32
ubuntucve
ubuntucve
CVE-2023-34149
2023-06-14 00:00:00
CVE-2023-34396
2023-06-14 00:00:00
nessus
nessus
Apache Struts 2.0.0 < 6.1.2.1 Denial of Service (S2-063)
2023-06-13 00:00:00
Apache Struts < 2.5.31 / 6.1.2.1 Denial of Service (S2-064)
2023-06-13 00:00:00
Oracle MySQL Enterprise Monitor (Jul 2023 CPU)
2023-07-21 00:00:00
cnvd
cnvd
Apache Struts Denial of Service Vulnerability (CNVD-2023-55432)
2023-06-16 00:00:00
Apache Struts Denial of Service Vulnerability (CNVD-2023-55422)
2023-06-16 00:00:00
openvas
openvas
Apache Struts Security Update (S2-063)
2023-06-14 00:00:00
Apache Struts Security Update (S2-064)
2023-06-14 00:00:00
f5
f5
K000135156 : Apache Struts vulnerability CVE-2023-34149
2023-06-22 00:00:00
K000135251 : Apache Struts vulnerability CVE-2023-34396
2023-06-27 00:00:00
atlassian
atlassian
DoS (Denial of Service) org.apache.struts:struts2-core Dependency in Crowd Data Center and Server
2024-04-25 17:10:32
DoS (Denial of Service) apache-struts in Bamboo Data Center and Server
2023-11-14 09:45:07
prion
prion
Code injection
2023-06-14 08:15:00
Code injection
2023-06-14 08:15:00
cvelist
cvelist
CVE-2023-34149 Apache Struts: DoS via OOM owing to not properly checking of list bounds
2023-06-14 07:48:54
CVE-2023-34396 Apache Struts: DoS via OOM owing to no sanity limit on normal form fields in multipart forms
2023-06-14 07:50:59
nvd
nvd
CVE-2023-34149
2023-06-14 08:15:09
CVE-2023-34396
2023-06-14 08:15:09
cve
cve
CVE-2023-34149
2023-06-14 08:15:09
CVE-2023-34396
2023-06-14 08:15:09
oracle
oracle
Oracle Critical Patch Update Advisory - October 2023
2023-10-17 00:00:00

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.018

Percentile

88.4%

JSON
Related for D293ED5275E05C0913AB49BE90C6EBD2605C4B8BF5FC696664738E061ACF0338
ibm11osv4github2veracode2ubuntucve2nessus4cnvd2openvas2f52atlassian2prion2cvelist2nvd2cve2oracle1