Lucene search

IBMFDAF684BB79F53A64ABEC74AADF58344176858B875CA4A3479A7AD52CBC51D6E

HistoryJun 27, 2024 - 9:06 a.m.

Security Bulletin: Multiple vulnerabilities in Bouncy Castle API affect IBM License Metric Tool.

2024-06-2709:06:21

www.ibm.com

ibm license metric tool

bouncy castle api

vulnerabilities

upgrade

version 9.2.36

7.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

Summary

IBM License Metric Tool is affected by Bouncy Castle Cryptography vulnerabilities.

Vulnerability Details

CVEID:CVE-2024-30172
**DESCRIPTION:**The Bouncy Castle Crypto Package For Java is vulnerable to a denial of service, caused by an infinite loop in the Ed25519 verification code. By persuading a victim to use a specially crafted signature and public key, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/290103 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-29857
**DESCRIPTION:**The Bouncy Castle Crypto Package For Java is vulnerable to a denial of service, caused by improper input validation. By importing an EC certificate with crafted F2m parameters, a remote attacker could exploit this vulnerability to cause excessive CPU consumption.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/290285 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-30171
**DESCRIPTION:**The Bouncy Castle Crypto Package For Java could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the RSA decryption (both PKCS#1v1.5 and OAEP) feature. By utilize timing side-channel attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/289411 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM License Metric Tool	9.2.0 - 9.2.35

Remediation/Fixes

For all affected versions, IBM strongly recommends addressing the vulnerability now by upgrading to the latest ILMT Server version 9.2.36 or later using the following procedure:
<https://www.ibm.com/docs/en/license-metric-tool?topic=tool-upgrading-latest-version>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmlicense_metric_toolMatch9.2

CPENameOperatorVersion
ibm license metric tooleq9.2

CPE	Name	Operator	Version
	ibm license metric tool	eq	9.2