Multiple vulnerabilities in IBM i Access Client Solutions
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2023-45185 CVE-2023-45184 CVE-2023-45182 |
| CWE-ID | CWE-863 CWE-664 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
IBM i Access Client Solutions Client/Desktop applications / Software for system administration |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Incorrect authorization
EUVDB-ID: #VU85034
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-45185
CWE-ID:
CWE-863 - Incorrect Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute remote code on the system. The vulnerability exists due to improper authority checks. A remote user can trigger the vulnerability to perform operations on the PC under the user's authority.
Install update from vendor's website.
Vulnerable software versionsIBM i Access Client Solutions: before 1.1.9.4
CPE2.3 External linkshttp://www.ibm.com/support/pages/node/7091942
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper control of a resource through its lifetime
EUVDB-ID: #VU85033
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-45184
CWE-ID:
CWE-664 - Improper control of a resource through its lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can obtain a decryption key due to improper authority checks.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM i Access Client Solutions: before 1.1.9.4
CPE2.3 External linkshttp://www.ibm.com/support/pages/node/7091942
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper control of a resource through its lifetime
EUVDB-ID: #VU85032
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-45182
CWE-ID:
CWE-664 - Improper control of a resource through its lifetime
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to IBM i Access Client Solutions key for an encrypted password decoded. A local user can exploit this vulnerability to obtain the password to other systems.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM i Access Client Solutions: before 1.1.9.4
CPE2.3 External linkshttp://www.ibm.com/support/pages/node/7091942
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
