DX UIM : CVE-2023-28709 Apache Tomcat Vulnerabilities
search cancel

DX UIM : CVE-2023-28709 Apache Tomcat Vulnerabilities

book

Article ID: 266912

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management On-Premise (Nimsoft / UIM)

Issue/Introduction

Is DX UIM 20.4 CU7 affected by CVE-2023-28709


CVE-2023-28709 Detail

Description
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. 
If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

 

Environment

Release : 20.4.x

20.4 CU5 and above 

Resolution

CVE-2023-28709
https://nvd.nist.gov/vuln/detail/CVE-2023-28709

 

CVE-2023-24998 Detail
https://nvd.nist.gov/vuln/detail/CVE-2023-24998

 

UIM is not vulnerable as we are not using the parameter mentioned in CVE

CVE-2023-28709/CVE-2023-24998 - Apache commons_fileupload is not used within UIM.

 Note: 9.0.73 tomcat version used in UIM 20.4 CU7 .

Tomcat version has been updated to 9.0.76 in UIM 20.4 CU8

Powered by Wolken Software