IBM Support

IT43307: IBM STORAGE INSIGHTS SECURITY APAR FOR CVE-2022-23541, CVE-2022-23539, CVE-2022-23529, CVE-2022-23540

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • CVEID: CVE-2022-23541
Description: jsonwebtoken is an implementation of JSON Web
Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be
misconfigured so that passing a poorly implemented key retrieval
function referring to the `secretOrPublicKey` argument from the
readme link will result in incorrect verification of tokens.
There is a possibility of using a different algorithm and key
combination in verification, other than the one that was used to
sign the tokens. Specifically, tokens signed with an asymmetric
public key could be verified with a symmetric HS256 algorithm.
This can lead to successful validation of forged tokens. If your
application is supporting usage of both symmetric key and
asymmetric key in jwt.verify() implementation with the same key
retrieval function. This issue has been patched, please update
to version 9.0.0.


CVEID: CVE-2022-23539
Description: Versions `<=8.5.1` of `jsonwebtoken` library could
be misconfigured so that legacy, insecure key types are used for
signature verification. For example, DSA keys could be used with
the RS256 algorithm. You are affected if you are using an
algorithm and a key type other than a combination listed in the
GitHub Security Advisory as unaffected. This issue has been
fixed, please update to version 9.0.0. This version validates
for asymmetric key type and algorithm combinations. Please refer
to the above mentioned algorithm / key type combinations for the
valid secure configuration. After updating to version 9.0.0, if
you still intend to continue with signing or verifying tokens
using invalid key type/algorithm value combinations, you?ll need
to set the `allowInvalidAsymmetricKeyTypes` option to `true` in
the `sign()` and/or `verify()` functions.


CVEID: CVE-2022-23529
Description: node-jsonwebtoken is a JsonWebToken implementation
for node.js. For versions `<= 8.5.1` of `jsonwebtoken` library,
if a malicious actor has the ability to modify the key retrieval
parameter (referring to the `secretOrPublicKey` argument from
the readme link of the `jwt.verify()` function, they can write
arbitrary files on the host machine. Users are affected only if
untrusted entities are allowed to modify the key retrieval
parameter of the `jwt.verify()` on a host that you control. This
issue has been fixed, please update to version 9.0.0.


CVEID: CVE-2022-23540
Description: In versions `<=8.5.1` of `jsonwebtoken` library,
lack of algorithm definition in the `jwt.verify()` function can
lead to signature validation bypass due to defaulting to the
`none` algorithm for signature verification. Users are affected
if you do not specify algorithms in the `jwt.verify()` function.
This issue has been fixed, please update to version 9.0.0 which
removes the default support for the none algorithm in the
`jwt.verify()` method. There will be no impact, if you update to
version 9.0.0 and you don?t need to allow for the `none`
algorithm. If you need 'none' algorithm, you have to explicitly
specify that in `jwt.verify()` options.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:                                              *
* IBM Storage Insights users                                   *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* SECURITY APAR FOR:                                           *
* CVE-2022-23541, CVE-2022-23539,                              *
* CVE-2022-23529, CVE-2022-23540                               *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************

    



Problem conclusion


    

  • The fix for this APAR is contained in the following release:

IBM Storage Insights 1Q23   [ 54X-IBM-SI ]
( 1Q 2023 / March )

To protect IBM Storage Insights against emerging
security vulnerabilities, the service was updated to
protected against vulnerabilities.

No action is required, there is nothing that you need
to do following the IBM Storage Insights upgrade.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT43307
    • 

  • Reported component name
    STORAGE INSIGHT
    • 

  • Reported component ID
    5608TPCSI
    • 

  • Reported release
    54X
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2023-03-09
    • 

  • Closed date
    2023-03-14
    • 

  • Last modified date
    2023-03-14
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    STORAGE INSIGHT
    • 

  • Fixed component ID
    5608TPCSI
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSYS7R","label":"IBM Spectrum Control Storage Insights"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"54X"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            15 March 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback