SB2022091906 - Multiple vulnerabilities in IBM Security Verify Governance, Identity Manager virtual appliance component
Published: September 19, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Missing Encryption of Sensitive Data (CVE-ID: CVE-2020-14781)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the JNDI component in Java SE Embedded when processing encrypted LDAP requests. A remote non-authenticated attacker can downgrade the encrypted LDAP connection and gain access to sensitive information.
2) Improper input validation (CVE-ID: CVE-2020-14782)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to an error in CertPath implementation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
Remediation
Install update from vendor's website.
References
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-technology-edition-affects-ibm-security-verify-governance-identity-manager-virtual-appliance-component-isvg-imva-cve-2020-14781cve-2020-14782/"
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-technology-edition-affects-ibm-security-verify-governance-identity-manager-virtual-appliance-component-isvg-imva-cve-2020-14781cve-2020-14782/</a><br>
- https://www.ibm.com/support/pages/node/6491175<br><br></p>