CVE-2023-32330: 
IBM Security Verify Access (formerly ISAM) vulnerability analysis and mitigation

IBM Security Verify Access versions 10.0.0.0 through 10.0.6.1 contains a critical security vulnerability (CVE-2023-32330) that was disclosed in February 2024. The vulnerability involves the use of insecure calls that could allow an attacker on the network to take control of the server (IBM Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) by NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while IBM assessed it with a CVSS score of 7.5 (High) with vector string CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-295 (Improper Certificate Validation) (NVD).

If exploited, this vulnerability could allow an attacker on the network to take complete control of the affected server. The vulnerability affects the confidentiality, integrity, and availability of the system with high severity impacts across all three security metrics (IBM Advisory).

IBM has released patches to address this vulnerability and encourages customers to update their systems promptly. For Docker Container deployments, users should obtain the latest version by running 'docker pull icr.io/isva/verify-access:[tag]'. For ISAM/ISVA appliances, users should upgrade to version 10.0.7-ISS-ISVA-FP0000 (IBM Advisory).