Support Content Notification - Support Portal

OPS/MVS 14.0 - NIM-SM Upgrade 3.3.0 to 3.3.1 -Vulnerability CVE-2018-10054

Product/Component

OPS/MVS Event Management & Automation

0 more products

Notification Id

24568

Last Updated

02 July 2024

Initial Publication Date

02 July 2024

Status

OPEN

Severity

HIGH

CVSS Base Score

9.1

WorkAround

Affected CVE

CWE094

Broadcom Mainframe Software is alerting customers to a vulnerability in the NIM-SM module (ca-nim-sm.war) that is redistributed with OPS/MVS.

Product Name	OPS/MVS 14.0
Affected component(s)	FMID:CCLXE01 Vulnerabilities in NIM-SM v3.0.0
Version PE was Introduced	FMID in Error: CCLXE01 Published Date: 08-10-2020
Severity	HIGH
CVE	CVE-2022-45868
CVSS Score	Base:7.8 Temporal:7.2
CVSS Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
CVSS Description	The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments.
Solution	LU14061
Platform(s)	z/OS

Broadcom customers may receive alerts and advisories by subscribing to Proactive Notifications.

If you missed any Mainframe Security Advisory alerts you can find all under Mainframe Security Advisories on the customer support portal.

To download a .CSV file that contains a consolidated list of security advisories affecting Broadcom mainframe products, click here for download instructions. You can use this file to easily search the CVE information.

Broadcom SECINT HOLDDATA is incorporated into our standard HOLDDATA file downloads. Therefore, it is not necessary to download any additional HOLDDATA files. Broadcom recommends that you use SMP/E Receive Order to acquire HOLDDATA and maintenance.

Customers who require additional information about this notice may contact Broadcom Support at: Support.Broadcom.com.

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." For an explanation of the CVSS scoring system and a description of each metric, please visit https://www.first.org/cvss/v3.1/specification-document

BROADCOM PROVIDES THE CVSS BASE AND TEMPORAL SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY IN THEIR SPECIFIC ENVIRONMENT. BROADCOM DOES NOT PROVIDE A CVSS ENVIRONMENT SCORE. THE CVSS ENVIRONMENT SCORE IS CUSTOMER ENVIRONMENT SPECIFIC AND WILL IMPACT THE OVERALL CVSS SCORE. CUSTOMERS SHOULD EVALUATE THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY AND CAN CALCULATE A CVSS ENVIRONMENT SCORE.

The CVSS score and all other information describing the security matter is Broadcom confidential and may be used by you for internal purposes only and may not be disclosed to any third party without Broadcom's prior written consent.