T3 2024 Sterling External Authentication Server is vulnerable to multiple issues

Integration News

IBM Sterling External Authentication Server is vulnerable to multiple issues.

Summary

Multiple vulnerabilities affect IBM Sterling External Authentication Server and are addressed in the latest iFixes

 

Vulnerability Details

CVEID: CVE-2024-21094
Description: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Source: IBM X-Force
CVSS Base score: 3.7
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2024-21085
Description: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impacts.
CVSS Source: IBM X-Force
CVSS Base score: 3.7
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2024-21011
Description: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impact.
CWE: Click here.
CVSS Source: IBM X-Force
CVSS Base score: 3.7
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) 

CVEID: CVE-2023-38264
Description:  The IBM SDK, Java Technology Edition’s Object Request Broker (ORB) 7.1.0.0 through 7.1.5.21 and 8.0.0.0
through 8.0.8.21 is vulnerable to a denial of service attack in some circumstances due to improper enforcement of the JEP 290 MaxRef and MaxDepth deserialization filters. 
CWE: Click here.
CVSS Source: IBM X-Force
CVSS Base score: 5.9
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2024-22201
Description: Eclipse Jetty is vulnerable to a denial of service, caused by a flaw when an HTTP/2 connection gets TCP congested. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the server to stop accepting new connections from valid clients, and results in a denial of service condition.
CWE: Click here.
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 

CVEID: CVE-2024-30172
Description: The Bouncy Castle Crypto Package For Java is vulnerable to a denial of service, caused by an infinite loop in the Ed25519 verification code. By persuading a victim to use a specially crafted signature and public key, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: Click here.
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

Product 

Affected Version 

Fixed-in Version(s)

Remediation

IBM Sterling External
Authentication
Server

6.0.0.0
6.0.1.0
6.0.2.0
6.0.3.0

6.0.3.1 GA

IBM Sterling External
Authentication
Server

6.1.0.0

6.1.0.1

6.1.0.2 GA

Workarounds and Mitigations

None.

Change History:

21 Oct 2024: Initial Publication23 Oct 2024: Updated Affected / Fixed Version
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Cliquez sur le bouton ci-dessous pour télécharger cette lettre d’information au format Pdf.

Cliquez ici pour télécharger