SB2023112202 - Multiple vulnerabilities in IBM Tivoli Business Service Manager 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023112202

SB2023112202 - Multiple vulnerabilities in IBM Tivoli Business Service Manager

Published: November 22, 2023

Security Bulletin ID SB2023112202
Severity
High
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 9% Medium 55% Low 36%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.


1) Buffer overflow (CVE-ID: CVE-2023-39976)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in log_blackbox.c. A remote attacker can send an overly long log message tp the application, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Resource exhaustion (CVE-ID: CVE-2023-40373)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack with a specially crafted query containing common table expressions.


3) SQL injection (CVE-ID: CVE-2023-40372)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.


4) Resource exhaustion (CVE-ID: CVE-2023-30987)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


5) Resource exhaustion (CVE-ID: CVE-2023-38719)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack during database deactivation on DPF.


6) SQL injection (CVE-ID: CVE-2023-38740)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.


7) Resource exhaustion (CVE-ID: CVE-2023-30991)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can send a specially crafted query to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.


8) Resource exhaustion (CVE-ID: CVE-2023-38720)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can send a specially crafted ALTER TABLE statement, trigger resource exhaustion and perform a denial of service (DoS) attack.


9) Observable discrepancy (CVE-ID: CVE-2023-33850)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to timing-based side channel in the RSA Decryption implementation. A remote attacker can send an overly large number of trial messages for decryption and gain unauthorized access to sensitive information on the system.


10) Resource exhaustion (CVE-ID: CVE-2023-40374)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can send a specially crafted query statement, trigger resource exhaustion and perform a denial of service (DoS) attack.


11) Resource exhaustion (CVE-ID: CVE-2023-38728)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can send a specially crafted XML query statement, trigger resource exhaustion and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References