csaf_certbund - WID-SEC-W-2023-2550

WID-SEC-W-2023-2550

Vulnerability from csaf_certbund

Published

2023-10-03 22:00

Modified

2024-04-29 22:00

Summary

IBM Rational ClearQuest: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

IBM Rational ClearQuest stellt eine Lösung zur Fehler- und Änderungsverfolgung zur Verfügung.

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in IBM Rational ClearQuest ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "IBM Rational ClearQuest stellt eine L\u00f6sung zur Fehler- und \u00c4nderungsverfolgung zur Verf\u00fcgung.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in IBM Rational ClearQuest ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-2550 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2550.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-2550 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2550"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7130904 vom 2024-03-08",
        "url": "https://www.ibm.com/support/pages/node/7130904"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin vom 2023-10-03",
        "url": "https://www.ibm.com/support/pages/node/7041679"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7149801 vom 2024-04-30",
        "url": "https://www.ibm.com/support/pages/node/7149801"
      }
    ],
    "source_lang": "en-US",
    "title": "IBM Rational ClearQuest: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-04-29T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:59:23.892+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-2550",
      "initial_release_date": "2023-10-03T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-10-03T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2024-03-07T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2024-04-29T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von IBM aufgenommen"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.3",
                "product": {
                  "name": "IBM AIX 7.3",
                  "product_id": "1139691",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:ibm:aix:7.3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.2",
                "product": {
                  "name": "IBM AIX 7.2",
                  "product_id": "434967",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:ibm:aix:7.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "AIX"
          },
          {
            "category": "product_name",
            "name": "IBM MQ",
            "product": {
              "name": "IBM MQ",
              "product_id": "T021398",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:mq:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c10.0.3",
                "product": {
                  "name": "IBM Rational ClearQuest \u003c10.0.3",
                  "product_id": "T030177"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.0.2.8",
                "product": {
                  "name": "IBM Rational ClearQuest \u003c9.0.2.8",
                  "product_id": "T030204"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.1.0.5",
                "product": {
                  "name": "IBM Rational ClearQuest \u003c9.1.0.5",
                  "product_id": "T030211"
                }
              }
            ],
            "category": "product_name",
            "name": "Rational ClearQuest"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.1",
                "product": {
                  "name": "IBM VIOS 3.1",
                  "product_id": "1039165",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:vios:3.1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "4.1",
                "product": {
                  "name": "IBM VIOS 4.1",
                  "product_id": "1522854",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:vios:4.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "VIOS"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-32342",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in IBM Rational ClearQuest. Diese werden durch einen zeitbasierten Seitenkanal in der RSA-Entschl\u00fcsselungsimplementierung im IBM GSKit-Crypto verursacht. Ein entfernter, anonymer Angreifer kann diese Schwachstellen durch das Senden einer \u00fcberm\u00e4\u00dfig gro\u00dfen Anzahl von Versuchsnachrichten ausnutzen, um Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "1139691",
          "434967",
          "1039165",
          "1522854",
          "T021398"
        ]
      },
      "release_date": "2023-10-03T22:00:00.000+00:00",
      "title": "CVE-2023-32342"
    },
    {
      "cve": "CVE-2023-33850",
      "notes": [
        {
          "category": "description",
          "text": "Es existieren mehrere Schwachstellen in IBM Rational ClearQuest. Diese werden durch einen zeitbasierten Seitenkanal in der RSA-Entschl\u00fcsselungsimplementierung im IBM GSKit-Crypto verursacht. Ein entfernter, anonymer Angreifer kann diese Schwachstellen durch das Senden einer \u00fcberm\u00e4\u00dfig gro\u00dfen Anzahl von Versuchsnachrichten ausnutzen, um Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "1139691",
          "434967",
          "1039165",
          "1522854",
          "T021398"
        ]
      },
      "release_date": "2023-10-03T22:00:00.000+00:00",
      "title": "CVE-2023-33850"
    }
  ]
}

CVE-2023-33850 (GCVE-0-2023-33850)

Vulnerability from cvelistv5

Published

2023-08-22 20:31

Modified

2025-11-03 21:48

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-203 - Observable Discrepancy

Summary

IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information.

References

URL

Tags

	https://www.ibm.com/support/pages/node/7010369	vendor-advisory
	https://www.ibm.com/support/pages/node/7022413	vendor-advisory
	https://www.ibm.com/support/pages/node/7022414	vendor-advisory

Impacted products

Vendor

Product

Version

IBM

TXSeries for Multiplatforms

Version: 8.1, 8.2, 9.1

	IBM	CICS TX Standard	Version: 11.1
	IBM	CICS TX Advanced	Version: 10.1, 11.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T21:48:43.280Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.ibm.com/support/pages/node/7010369"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.ibm.com/support/pages/node/7022413"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.ibm.com/support/pages/node/7022414"
          },
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/257132"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20241108-0002/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:ibm:txseries_for_multiplatform:8.1:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "txseries_for_multiplatform",
            "vendor": "ibm",
            "versions": [
              {
                "status": "affected",
                "version": "8.1"
              },
              {
                "status": "affected",
                "version": "8.2"
              },
              {
                "status": "affected",
                "version": "9.1"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:ibm:cics_tx:11.1:*:*:*:advanced:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "cics_tx",
            "vendor": "ibm",
            "versions": [
              {
                "status": "affected",
                "version": "11.1"
              },
              {
                "status": "affected",
                "version": "10.1"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:ibm:cics_tx:11.1:*:*:*:standard:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "cics_tx",
            "vendor": "ibm",
            "versions": [
              {
                "status": "affected",
                "version": "11.1"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-33850",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-03T19:06:38.589742Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-03T19:11:06.469Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "TXSeries for Multiplatforms",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "8.1, 8.2, 9.1"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CICS TX Standard",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "11.1"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "CICS TX Advanced",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "10.1, 11.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(204, 217, 226);\"\u003eIBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information.\u003c/span\u003e"
            }
          ],
          "value": "IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-203",
              "description": "CWE-203 Observable Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-27T13:50:22.398Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.ibm.com/support/pages/node/7010369"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.ibm.com/support/pages/node/7022413"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.ibm.com/support/pages/node/7022414"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM GSKit-Crypto information disclosure",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2023-33850",
    "datePublished": "2023-08-22T20:31:25.923Z",
    "dateReserved": "2023-05-23T00:31:59.438Z",
    "dateUpdated": "2025-11-03T21:48:43.280Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-32342 (GCVE-0-2023-32342)

Vulnerability from cvelistv5

Published

2023-05-30 21:03

Modified

2025-01-09 21:11

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

208 Information Exposure Through Timing Discrepancy

Summary

IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 255828.

References

URL

	Vendor	Product	Version
	IBM	GSKit	Version:

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

WID-SEC-W-2023-2550

Vulnerability from csaf_certbund

CVE-2023-33850 (GCVE-0-2023-33850)

Vulnerability from cvelistv5

CVE-2023-32342 (GCVE-0-2023-32342)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature