Lucene search

K
ibmIBMDF8829EB9610F1EC554DB4EED3C8AAB025B2F3023AFED8E7160D8D973FBFFD19
HistoryNov 08, 2022 - 4:08 p.m.

Security Bulletin: IBM Security Verify Access is vulnerable to execute arbitrary code due to jsr-sasign component. [CVE-2022-25898]

2022-11-0816:08:21
www.ibm.com
103
ibm security verify access
jsr-sasign
arbitrary code
vulnerability
node.js
docker
version update
security bulletin
cve-2022-25898

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.01 Low

EPSS

Percentile

83.7%

Summary

jsr-sasign is used by IBM Security Verify Access product. This has been fixed by updating the version used by IBM Security Verify Access. [CVE-2022-25898]

Vulnerability Details

CVEID:CVE-2022-25898
**DESCRIPTION:**Node.js jsrsasign module could allow a remote attacker to execute arbitrary code on the system, caused by embedded malicious code. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229808 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Security Verify Access Docker 10.0.X
IBM Security Verify Access 10.0.X

This affects all ISVA products from 10.0.0.0 through 10.0.4.0. It is fixed in ISVA 10.0.4.0 IF1

Remediation/Fixes

IBM encourages customers to update their systems promptly.

IBM Security Verify Access (Docker Container)

For Version 10.0.0.0

  • Obtain the latest version of the container by running the following command β€œdocker pull ibmcom/verify-access:[tag]”

Where [tag] is the latest published version and can be confirmed here

For the ISAM/ISVA appliances

Affected Products and Versions

|

Fix availability

β€”|β€”

IBM Security Verify Access 10.0.0.0

|

10.0.4.0-ISS-ISVA-IF0001

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsecurity_verify_accessMatch10.0.0
OR
ibmsecurity_verify_accessMatch10.0.1
OR
ibmsecurity_verify_accessMatch10.0.2
OR
ibmsecurity_verify_accessMatch10.0.3
OR
ibmsecurity_verify_accessMatch10.0.4

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.01 Low

EPSS

Percentile

83.7%

Related for DF8829EB9610F1EC554DB4EED3C8AAB025B2F3023AFED8E7160D8D973FBFFD19