Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM032BA403FFFB537EAD9E87A1E69A1F0B31BA3119E1AC7324DDD80AD6CB4AA517
HistoryFeb 08, 2024 - 7:18 p.m.

Security Bulletin: Mutiple Vulnerabilties affects IBM Watson Machine Learning Accelerator 3.5.0 for Cloud Pak for Data 4.6.5

2024-02-0819:18:38
www.ibm.com
7
ibm watson ml accelerator
cloud pak for data
ansible
golang go
containerd
vulnerabilities
denial of service

7.4 High

AI Score

Confidence

High

0.02 Low

EPSS

Percentile

88.9%

JSON

Summary

IBM Watson Machine Learning Accelerator 3.5.0 for Cloud Pak for Data 4.6.5 is affected by multiple vulnerabilities. This bulletin identifies the steps to take to address the vulnerabilities.

Vulnerability Details

CVEID:CVE-2022-3697
**DESCRIPTION:**Ansible Collections Amazon AWS Collection could allow a remote attacker to obtain sensitive information, caused by a flaw when using the tower_callback parameter from the amazon.aws.ec2_instance module. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain password information from the log file, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241191 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-41725
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw when perform multipart form parsing with mime/multipart.Reader.ReadForm. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to consume largely unlimited amounts of memory and disk files, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248957 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-41723
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw in the HPACK decoder. By sending a specially-crafted HTTP/2 stream, a remote attacker could exploit this vulnerability to cause excessive CPU consumption, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247965 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-23471
**DESCRIPTION:**containerd is vulnerable to a denial of service, caused by a flaw in the CRI implementation. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to exhaust memory on the host, and results in a denial of service condition.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241615 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-41724
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248257 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-24532
**DESCRIPTION:**An unspecified error with return an incorrect result in the ScalarMult and ScalarBaseMult methods of the P256 Curve in Golang Go has an unknown impact and attack vector.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249655 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2022-41721
**DESCRIPTION:**Golang Go is vulnerable to HTTP request smuggling, caused by a flaw when using MaxBytesHandler. By sending a specially-crafted HTTP(S) transfer-encoding request header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244775 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
Watson Machine Learning Accelerator on Cloud Pak for Data 3.5.0

Remediation/Fixes

1. Watson Machine Learning Accelerator 4.2.0 for IBM Cloud Pak for Data 4.7.2 has addressed the following vulnerabilities:

CVE-2022-41721
CVE-2022-23471
CVE-2022-41724
CVE-2023-24532
CVE-2022-41725

To upgrade from Watson Machine Learning Accelerator 3.5.0 to 4.2.0, follow the documentation here <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.7.x?topic=upgrading-from-cloud-pak-data-version-46&gt;

2. Watson Machine Learning Accelerator 4.8.0 for Cloud Pak for Data 4.8.0 has addressed the following vulnerabilities:

CVE-2022-41725
CVE-2022-41723

To upgrade from Watson Machine Learning Accelerator 3.5.0 to 4.8.0, follow the documentation here <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.8.x?topic=upgrading-from-cloud-pak-data-version-46&gt;

Workarounds and Mitigations

None

Related

mageia 1
openvas 21
ibm 29
nessus 44
redhat 7
freebsd 3
altlinux 2
osv 16
almalinux 1
rocky 1
oraclelinux 1
photon 2
gitlab 2
amazon 3
ubuntucve 5
cgr 6
debiancve 4
veracode 6
cvelist 4
wolfi 4
prion 5
alpinelinux 4
cbl_mariner 12
fedora 3
redhatcve 4
github 3
redos 1
cve 5
mageia
mageia
Updated golang packages fix security vulnerability
2023-03-24 08:55:49
openvas
openvas
Mageia: Security Advisory (MGASA-2023-0109)
2023-03-28 00:00:00
Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2023-2292)
2023-07-04 00:00:00
Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2023-1822)
2023-05-09 00:00:00
ibm
ibm
Security Bulletin: Multiple vulnerabilities in Golang Go may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2022-32149, CVE-2022-41721, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725 and CVE-2023-24532)
2024-01-09 13:45:10
Security Bulletin: Operations Dashboard is vulnerable to denial of service due to multiple vulnerabilities in Go
2023-04-03 13:23:46
Security Bulletin: Multiple vulnerabilities in golang affect IBM Db2® REST
2023-05-01 14:59:25
nessus
nessus
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.19 (SUSE-SU-2023:0733-1)
2023-03-15 00:00:00
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.20 (SUSE-SU-2023:0735-1)
2023-03-15 00:00:00
SUSE SLES15 Security Update : container-suseconnect (SUSE-SU-2023:0871-1)
2023-03-23 00:00:00
redhat
redhat
(RHSA-2023:3083) Moderate: go-toolset:rhel8 security and bug fix update
2023-05-16 09:15:09
(RHSA-2023:7672) Moderate: OpenShift Virtualization 4.14.1 RPMs security and bug fix update
2023-12-06 14:32:56
(RHSA-2023:1817) Moderate: Network observability 1.2.0 for Openshift
2023-04-18 00:59:31
freebsd
freebsd
go -- multiple vulnerabilities
2023-02-14 00:00:00
traefik -- Use of vulnerable Go module x/net/http2
2022-10-22 00:00:00
go -- crypto/elliptic: incorrect P-256 ScalarMult and ScalarBaseMult results
2023-02-22 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package golang version 1.19.6-alt1
2023-02-22 00:00:00
Security fix for the ALT Linux 10 package golang version 1.19.7-alt1
2023-03-10 00:00:00
osv
osv
Moderate: go-toolset:rhel8 security and bug fix update
2023-05-16 00:00:00
Moderate: go-toolset:Rocky Linux8 security and bug fix update
2023-05-18 19:17:56
golang.org/x/net/http2/h2c vulnerable to request smuggling attack
2023-01-14 00:30:23
almalinux
almalinux
Moderate: go-toolset:rhel8 security and bug fix update
2023-05-16 00:00:00
rocky
rocky
go-toolset:Rocky Linux8 security and bug fix update
2023-05-18 19:17:56
oraclelinux
oraclelinux
go-toolset:ol8 security and bug fix update
2023-05-25 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2023-4.0-0362
2023-03-23 00:00:00
Important Photon OS Security Update - PHSA-2023-3.0-0564
2023-04-06 00:00:00
gitlab
gitlab
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
2023-01-14 00:00:00
golang.org/x/net/http2/h2c vulnerable to request smuggling attack
2023-01-14 00:00:00
amazon
amazon
Important: golang
2023-04-13 19:28:00
Important: golang
2023-04-13 19:01:00
Important: cni-plugins
2023-08-03 18:10:00
ubuntucve
ubuntucve
CVE-2023-24532
2023-03-08 00:00:00
CVE-2022-41721
2023-01-13 00:00:00
CVE-2022-23471
2022-12-08 00:00:00
cgr
cgr
CVE-2023-24532 vulnerabilities
2024-05-19 03:07:16
CVE-2022-23471 vulnerabilities
2024-05-19 03:07:16
CVE-2022-41721 vulnerabilities
2024-05-19 03:07:16
debiancve
debiancve
CVE-2023-24532
2023-03-08 20:15:09
CVE-2022-41721
2023-01-13 23:15:09
CVE-2022-23471
2022-12-07 23:15:00
veracode
veracode
Incorrect ECC Calculation
2023-03-09 11:15:16
HTTP Request Smuggling
2023-01-22 08:35:58
Denial Of Service (DoS)
2022-12-08 03:54:08
cvelist
cvelist
CVE-2022-23471 containerd CRI stream server: Host memory exhaustion through terminal resize goroutine leak
2022-12-07 22:51:34
CVE-2022-41721 Request smuggling due to improper request handling in golang.org/x/net/http2/h2c
2023-01-13 22:46:22
CVE-2023-24532 Incorrect calculation on P256 curves in crypto/internal/nistec
2023-03-08 19:40:45
wolfi
wolfi
CVE-2022-23471 vulnerabilities
2024-05-28 21:07:31
CVE-2023-24532 vulnerabilities
2024-05-28 21:07:31
CVE-2022-41725 vulnerabilities
2024-05-28 21:07:31
prion
prion
Code injection
2023-03-08 20:15:00
Command injection
2022-12-07 23:15:00
Design/Logic Flaw
2023-01-13 23:15:00
alpinelinux
alpinelinux
CVE-2022-23471
2022-12-07 23:15:00
CVE-2023-24532
2023-03-08 20:15:09
CVE-2022-41725
2023-02-28 18:15:00
cbl_mariner
cbl_mariner
CVE-2022-23471 affecting package moby-containerd 1.6.6+azure-4
2022-12-27 17:56:02
CVE-2022-41721 affecting package opa for versions less than 0.50.2-5
2023-08-30 15:15:49
CVE-2023-24532 affecting package golang for versions less than 1.21.6-1
2024-05-28 21:07:37
fedora
fedora
[SECURITY] Fedora 37 Update: caddy-2.6.4-1.fc37
2023-08-27 00:51:01
[SECURITY] Fedora 37 Update: skopeo-1.11.2-1.fc37
2023-04-12 01:34:16
[SECURITY] Fedora 37 Update: golang-github-gabriel-vasile-mimetype-1.4.2-1.fc37
2023-04-20 02:54:37
redhatcve
redhatcve
CVE-2022-41721
2023-01-19 04:04:56
CVE-2023-24532
2023-07-17 17:11:05
CVE-2022-41725
2023-03-15 05:13:48
github
github
golang.org/x/net/http2/h2c vulnerable to request smuggling attack
2023-01-14 00:30:23
containerd CRI stream server vulnerable to host memory exhaustion via terminal
2022-12-07 23:23:43
Ansible leaks password to logs
2022-10-28 19:00:38
redos
redos
ROS-20221223-01
2022-12-23 00:00:00
cve
cve
CVE-2023-24532
2023-03-08 20:15:09
CVE-2022-41721
2023-01-13 23:15:09
CVE-2022-23471
2022-12-07 23:15:00

7.4 High

AI Score

Confidence

High

0.02 Low

EPSS

Percentile

88.9%

JSON
Related for 032BA403FFFB537EAD9E87A1E69A1F0B31BA3119E1AC7324DDD80AD6CB4AA517
mageia1openvas21ibm29nessus44redhat7freebsd3altlinux2osv16almalinux1rocky1oraclelinux1photon2gitlab2amazon3ubuntucve5cgr6debiancve4veracode6cvelist4wolfi4prion5alpinelinux4cbl_mariner12fedora3redhatcve4github3redos1cve5