Security Bulletin: IBM Sterling Partner Engagement Manager vulnerable to buffer overflow due to OpenJDK (CVE-2023-2597)

2023-06-1505:44:39

www.ibm.com

ibm sterling partner engagement manager

buffer overflow

openjdk

cve-2023-2597

vulnerability

affected versions

remediation

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

0.001 Low

EPSS

Percentile

48.3%

JSON

Summary

The vulnerability in open JDK that is shipped with IBM Sterling Partner Engagement Manager. The CVE(s) listed in this document are addressed.

Vulnerability Details

CVEID:CVE-2023-2597
**DESCRIPTION:**Eclipse Openj9 is vulnerable to a buffer overflow, caused by improper bounds checking by the getCachedUTFString() function. By using specially crafted input, a local authenticated attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255906 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Sterling Partner Engagement Manager	6.2.1
IBM Sterling Partner Engagement Manager	6.2.2
IBM Sterling Partner Engagement Manager	6.1.2
IBM Sterling Partner Engagement Manager	6.2.0

Remediation/Fixes

Product	Version	Remediation
IBM Sterling Partner Engagement Manager Essentials Edition	6.1.2.8	https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Essentials_6.1.2.8&source=SAR
IBM Sterling Partner Engagement Manager Standard Edition	6.1.2.8	https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.1.2.8&source=SAR
IBM Sterling Partner Engagement Manager Essentials Edition	6.2.0.6	https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Essentials_6.2.0.6&source=SAR
IBM Sterling Partner Engagement Manager Standard Edition	6.2.0.6	https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.2.0.6&source=SAR
IBM Sterling Partner Engagement Manager Essentials Edition	6.2.1.3	https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Essentials_6.2.1.3&source=SAR
IBM Sterling Partner Engagement Manager Standard Edition	6.2.1.3	https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.2.1.3&source=SAR
IBM Sterling Partner Engagement Manager Essentials Edition	6.2.2.1	https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Essentials_6.2.2.1&source=SA
IBM Sterling Partner Engagement Manager Standard Edition	6.2.2.1	https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.2.2.1&source=SAR

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmmulti-enterprise_integration_gatewayMatch6.1

ibmmulti-enterprise_integration_gatewayMatch6.2

ibmmulti-enterprise_integration_gatewayMatch6.2.1

CPENameOperatorVersion
multi-enterprise relationship managementeq6.1
multi-enterprise relationship managementeq6.2
multi-enterprise relationship managementeq6.2.1