Direct link to fix
APAR status
Closed as program error.
Error description
CVEID: CVE-2023-39333 Description: Node.js could allow a remote attacker to gain unauthorized access to the system, caused by a code injection flaw. By using specially crafted export names in an imported WebAssembly module, an attacker could exploit this vulnerability to inject JavaScript code and gain access to restricted data and functions. CVEID: CVE-2023-38552 Description: Node.js could allow a remote attacker to bypass security restrictions, caused by the circumvention of integrity checks by the policy feature. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the experimental permission model. CVEID: CVE-2023-44487 Description: Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. By sending numerous HTTP/2 requests and RST_STREAM frames over multiple streams, a remote attacker could exploit this vulnerability to cause a denial of service due to server resource consumption. CVEID: CVE-2023-45143 Description: Node.js undici module could allow a remote authenticated attacker to obtain sensitive information, caused by the failure to clear cookie header on cross-origin redirect in fetch. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to obtain cookie header information, and use this information to launch further attacks against the affected system. CVEID: CVE-2023-39331 Description: Node.js could allow a remote attacker to bypass security restrictions, caused by a path traversal bypass when verifying file permissions. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the experimental permission model. CVEID: CVE-2023-39332 Description: Node.js could allow a remote attacker to bypass security restrictions, caused by a path traversal bypass using non-Buffer Uint8Array objects. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the experimental permission model.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * IBM Spectrum Control 5.4.0 - 5.4.10.2 users * **************************************************************** * PROBLEM DESCRIPTION: * * SECURITY APAR FOR: * * CVE-2023-39333, CVE-2023-38552, * * CVE-2023-44487, CVE-2023-45143, * * CVE-2023-39331, CVE-2023-39332 * * * * See security bulletin for details of the vulnerabilities: * * https://www.ibm.com/support/pages/node/7087510 * **************************************************************** * RECOMMENDATION: * * Apply fix maintenance. * * * ****************************************************************
Problem conclusion
The fix for this APAR is contained in the following release: IBM Spectrum Control 5.4.11 [ 5.4.11-IBM-SC ] https://www.ibm.com/support/pages/node/359939
Temporary fix
Comments
APAR Information
APAR number
IT45014
Reported component name
TPC
Reported component ID
5608TPC00
Reported release
549
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-11-23
Closed date
2024-01-09
Last modified date
2024-01-09
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TPC
Fixed component ID
5608TPC00
Applicable component levels
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSWFB4","label":"IBM Spectrum Control Standard Edition"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"549","Line of Business":{"code":"LOB69","label":"Storage TPS"}}]
Document Information
Modified date:
02 January 2025