Lucene search

IBME23E5E368C5384B3BD0EA1D29DE09B49CF49A5F44632E304B0A1EEC8896477FE

HistoryJan 05, 2023 - 5:03 a.m.

Security Bulletin: IBM Security Verify Governance is vulnerable to unauthenticated access resulting in various threats (CVE-2021-35550, CVE-2021-2163, CVE-2021-35603)

2023-01-0505:03:54

www.ibm.com

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:C/I:N/A:N

0.002 Low

EPSS

Percentile

51.6%

JSON

Summary

IBM Security Verify Governance is vulnerable to sensitive information access, high integrity impact and no availability impact by an unauthenticated attacker due to a vulnerability in Java SE related to the JSSE and Libraries components(CVE-2021-35550, CVE-2021-2163, CVE-2021-35603). The fix includes upgrading Java SE to the patched version.

Vulnerability Details

CVEID:CVE-2021-35550
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211627 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2021-2163
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/200292 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:CVE-2021-35603
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211676 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Security Verify Governance	10.0

Remediation/Fixes

Affected Product(s) |

Version(s)

First Fix

—|—|—

IBM Security Verify Governance

10.0.1

10.0.1.0-ISS-ISVG-IGVA-FP0003

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm security verify governanceeq10.0

CPE	Name	Operator	Version
	ibm security verify governance	eq	10.0

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:C/I:N/A:N

0.002 Low

EPSS

Percentile

51.6%

JSON

Related for E23E5E368C5384B3BD0EA1D29DE09B49CF49A5F44632E304B0A1EEC8896477FE