Multiple vulnerabilities have been found in IBM Sterling Secure Proxy, mostly related to Denial of Service and Information Disclosure.
It also consisted of a code execution vulnerability and an unidentified vulnerability. The severities of these vulnerabilities vary from 4.5 (Medium) to 9.8 (Critical).
IBM Sterling Secure Proxy is a DMZ-based software proxy application that provides secure high-speed data transfer, perimeter security, and protection against unauthorized access to critical business-internal systems.
IBM has taken necessary measures to address the vulnerabilities by releasing patches that effectively resolve the issues at hand.
Code Execution & Unidentified Vulnerability
CVE-2022-40609 was one of the vulnerabilities that IBM patched in the security patch related to arbitrary code execution. A remote attacker can exploit this vulnerability by sending crafted data. It exists due to an unsafe deserialization flaw and has a severity of 9.8 (Critical).
Apart from the information disclosure, Denial of service, and the remote code execution vulnerability, there was another vulnerability that was patched but IBM did not provide any additional information about this vulnerability. This flaw affected Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE.
“An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause high confidentiality impact and high integrity impact.” reads the post by IBM.
DoS and Information Disclosure
In addition to this, there were 8 DoS (Denial of Service) and 2 information disclosure vulnerabilities. As mentioned by IBM, the vulnerabilities with the highest severity among the DoS vulnerabilities were CVE-2023-24998 and CVE-2022-45685.
CVE-2023-24998 affected Apache Commons FileUpload and Tomcat, which exists due to no rate limiting on the number of requested parts that affects the file upload function. An attacker can send a specially crafted request to this function, which could result in a Denial of Service condition.
CVE-2022-45685 is a stack-based buffer overflow vulnerability that can be exploited by sending an overly long string on the JSON data that could result in a denial of service condition. This vulnerability affects Jettison.
|CVE ID||Description||Severity||NVD Score|
|CVE-2023-26049||Eclipse Jetty information disclosure||4.5||–|
|CVE-2023-32338||IBM Sterling Secure Proxy information disclosure||5.1||–|
|CVE-2023-26048||Eclipse Jetty denial of service||5.3||–|
|CVE-2021-33813||JDOM denial of service||5.3||7.5|
|CVE-2022-45693||Jettison denial of service||5.3||–|
|CVE-2023-1436||Jettison denial of service||5.3||7.5|
|CVE-2023-22874||IBM MQ denial of service||5.5||–|
|CVE-2022-40150||jettison-json Jettison denial of service||6.5||7.5|
|CVE-2023-21930||Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE unspecified||7.4||–|
|CVE-2023-24998||Apache Commons FileUpload and Tomcat denial of service||7.5||–|
|CVE-2022-45685||Jettison denial of service||7.5||–|
|Eclipse Jetty’s denial of service||IBM SDK, Java Technology Edition code execution||8.1||9.8|
Products affected by these vulnerabilities include IBM Sterling Secure Proxy 6.0.3 and 6.1.0. To fix these vulnerabilities, users of these products are recommended to follow the below table.
|IBM Sterling Secure Proxy||6.1.0||GA||Fix Central|
|IBM Sterling Secure Proxy||6.0.3||iFix 08||Fix Central|