Vulnerability Alert

CVE-2024-45523 Resource Leak in API After a Failed Login Attempt 

Severity: High 7.1 

CVE-2024-45523 Resource Leak in API After a Failed Login Attempt 

Bravura Security has identified a specific vulnerability within the Bravura Security Fabric application that can be exploited by an unauthenticated attacker from a remote location. This vulnerability resides in the Bravura Security API SOAP service (idapisoap) and extends to the Bravura Security API service (idapi). If exploited, it can cause a resource leak that could lead to a denial of service, impacting multiple versions of the Bravura Security Fabric. 

Issue

An attacker, without needing to log in, can exploit a weakness from anywhere on the Internet. The weakness lies in the application's SOAP service, known as idapisoap, which is part of the Bravura Security API. This issue also impacts another part of the application, the Bravura Security API service, labeled idapi, which is integral to the operation of numerous processes within the Bravura Security Fabric. 

If an attacker takes advantage of this flaw, they could cause the application to use up its available resources, such as memory, leading to a situation where the Bravura Security Fabric application slows down or stops working altogether—a state known as a denial of service. This would prevent legitimate users from accessing the security features provided by the application. 

Affected Versions

This vulnerability affects all versions of Bravura Security Fabric.   

Fixed in the following patches: 

  • 12.3.5.32784 
  • 12.4.3.35110 
  • 12.5.2.35950 
  • 12.6.2.37183 
  • 12.7.1.38241 

Remediations

The remediation requires a patch from Bravura Security. Please click here to open a support request referencing vulnerability CVE-2024-45523. Check this knowledge base article for more information. Can't access the Knowledge Base? Contact your Account Manager to gain access. 

Mitigations

If your deployment does not require remote SOAP API access, the immediate mitigation is to stop and disable the idapisoap service. Note this does not affect REST API. 

Questions

For further assistance and to request the patch, please reach out to support@bravurasecurity.com.

Acknowledgments

We are committed to ensuring the security of our users and recommend immediate action to address this vulnerability. Bravura Security thanks the community and researchers who contribute to the security of our software.