SB2024020217 - Multiple vulnerabilities in IBM Sterling Transformation Extender
Published: February 2, 2024 Updated: June 20, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Deserialization of Untrusted Data (CVE-ID: CVE-2023-46604)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data in the OpenWire protocol. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Improper enforcement of behavioral workflow (CVE-ID: CVE-2023-0105)
The vulnerability allows a remote attacker to lock out other users.
The vulnerability exists due to incorrect handling of email trust, caused by handling of the verified account state when changing the email address. A remote attacker can lock our or impersonate other users.
3) Input validation error (CVE-ID: CVE-2018-25031)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim into opening a specially crafted URL to display remote OpenAPI definitions.
4) Inadequate Encryption Strength (CVE-ID: CVE-2023-32342)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to IBM GSKit is using weak cryptographic algorithms. A remote attacker can send an overly large number of trial messages for decryption and perform a timing-based side channel attack against the RSA Decryption implementation.
Remediation
Install update from vendor's website.