There are multiple vulnerabilities in IBM Sterling External Authentication Server detected by internal scans. IBM Sterling External Authentication Server has addressed the applicable vulnerabilities.
DESCRIPTION: IBM Sterling Secure Proxy and IBM Sterling External Authentication Server are vulnerable a buffer overflow, due to the Jetty based GUI in the Secure Zone not properly validating the sizes of the form content and/or HTTP headers submitted. A local attacker positioned inside the Secure Zone could submit a specially crafted HTTP request to disrupt service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219133 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
DESCRIPTION: IBM Sterling External Authentication Server is vulnerable to path traversals, due to not properly validating RESTAPI configuration data. An authorized user could import invalid data which could be used for an attack.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220144 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
|IBM Sterling External Authentication Server||6.0.3|
|IBM Sterling External Authentication Server||6.0.2|
|IBM Sterling External Authentication Server||184.108.40.206|
|IBM Sterling External Authentication Server||220.127.116.11||iFix 2||Fix Central|
|IBM Sterling External Authentication Server||18.104.22.168||iFix 5||Fix Central|
|IBM Sterling External Authentication Server||22.214.171.124||iFix 14||Fix Central|
Workarounds and Mitigations
Get Notified about Future Security Bulletins
23 Feb 2022: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
23 February 2022