IBM006B2579DA34A655DF97220CEA309138805B75AF9D45AFB7AB6D4C8B0B6125EASecurity Bulletin: Operations Dashboard is vulnerable to remote code execution due to Go
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
52.2%
Summary
Operations Dashboard is vulnerable to remote code execution due to Go CVE-2023-39320 with details below. The vulnerability has been addressed.
Vulnerability Details
CVEID:CVE-2023-39320
**DESCRIPTION:**Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the go.mod toolchain directive. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265873 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| Operations Dashboard | 2021.1.1 |
| 2021.2.1 | |
| 2021.3.1 | |
| 2021.4.1 | |
| 2022.2.1 |
Remediation/Fixes
Operations Dashboard in IBM Cloud Pak for Integration
Upgrade Operations Dashboard to 2022.2.1-16-lts using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.2?topic=capabilities-upgrading-integration-tracing>
Workarounds and Mitigations
None
Affected configurations
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
52.2%