Advisory No: TZCERT/SA/2024/02/08-2
Date of First Release: 8th February 2024
Software Affected: IBM Sterling Control Center
IBM has disclosed the remote code vulnerabilities affecting IBM Sterling Control Center. The vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
The vulnerabilities with CVEID CVE-2016-1000027 and CVE-2023-20883 result from unsafe deserialization flaw in library under Pivota Spring Framework and the flaw VMware Tanzu Spring boot when Spring MVC is used together with a reverse proxy cache respectively. From the two vulnerabilities, the first one can be leveraged by using the specially crafted input to execute arbitrary code on the affected system whilst the other through the specially crafted request can result into denial-of-service condition.
Successful exploitation of these vulnerabilities may allow the remote attacker to take control of the affected system or cause a denial-of-service condition to the affected system.
IBM has released security updates to resolve these vulnerabilities. Users and administrations are encouraged to update as soon as possible.