IBME0381C87165744ED509B63FCCF1364F4F26E7CE45B6327D61868E537D5AFFD11Security Bulletin: Vulnerabilities in IBM SDK, Java Technology affect Rational Software Architect Designer and Rational Software Architect Designer for Websphere Software
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
42.7%
Summary
Vulnerabilities in IBM SDK, Java Technology affect Rational Software Architect Designer and Rational Software Architect Designer for Websphere Software (CVE-2023-33850, CVE-2023-22067)
Vulnerability Details
CVEID:CVE-2023-33850
**DESCRIPTION:**IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 257132.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257132 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2023-22067
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the CORBA component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268928 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| RSA | 9.6 |
| RSA | 9.7 |
| RSA4WS | 9.6 |
| RSA4WS | 9.7 |
Remediation/Fixes
Update the IBM SDK, Java Technology Edition of the product to address this vulnerability:
| Product | VRMF | Remediation/First Fix |
|---|---|---|
| Rational Software Architect Designer (RSAD) |
9.7 to 9.7.0.3 ,9.7.1 and 9.7.1.1
9.6 to 9.6.1.4
| IBM Java SDK/JRE 8 SR8 FP20 IFixes
Rational Software Architect Designer for WebSphere Software (RSAD4WS)|
9.7 to 9.7.0.3 ,9.7.1 and 9.7.1.1
9.6 to 9.6.1.4
| IBM Java SDK/JRE 8 SR8 FP20 IFixes
Installation Instructions:
For instructions on installing this update using Installation Manager, review the topic Updating Installed Product Packages in the IBM Knowledge Center.
Instructions to download and install the update from the compressed files:
-
Download the update files from Fix Central by following the link listed in the download table above
-
Extract the compressed files in an appropriate directory.
For example, choose to extract to C:\temp\update
-
Start IBM Installation Manager.
-
On the Start page of Installation Manager, click File > Preferences, and then clickRepositories. The Repositories page opens.
-
On the Repositories page, click Add Repository.
-
In the Add repository window, browse to or enter the file path to the repository.config file, which is located in the directory where you extracted the compressed files and then click OK.
For example, enter C:\temp\update\repository.config.
-
Click OK to close the Preference page.
-
Install the update as described in the the topic Updating Installed Product Packages in the IBM Knowledge Center for your product and version.
Workarounds and Mitigations
None
Affected configurations
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
42.7%