IBM Watson Machine Learning Accelerator 3.5.0 for Cloud Pak for Data 4.6.5 is affected by multiple vulnerabilities. This bulletin identifies the steps to take to address the vulnerabilities.
CVEID:CVE-2022-3697
**DESCRIPTION:**Ansible Collections Amazon AWS Collection could allow a remote attacker to obtain sensitive information, caused by a flaw when using the tower_callback parameter from the amazon.aws.ec2_instance module. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain password information from the log file, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241191 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2022-41725
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw when perform multipart form parsing with mime/multipart.Reader.ReadForm. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to consume largely unlimited amounts of memory and disk files, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248957 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-41723
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw in the HPACK decoder. By sending a specially-crafted HTTP/2 stream, a remote attacker could exploit this vulnerability to cause excessive CPU consumption, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247965 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-23471
**DESCRIPTION:**containerd is vulnerable to a denial of service, caused by a flaw in the CRI implementation. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to exhaust memory on the host, and results in a denial of service condition.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241615 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-41724
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248257 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-24532
**DESCRIPTION:**An unspecified error with return an incorrect result in the ScalarMult and ScalarBaseMult methods of the P256 Curve in Golang Go has an unknown impact and attack vector.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249655 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2022-41721
**DESCRIPTION:**Golang Go is vulnerable to HTTP request smuggling, caused by a flaw when using MaxBytesHandler. By sending a specially-crafted HTTP(S) transfer-encoding request header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244775 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
Watson Machine Learning Accelerator on Cloud Pak for Data | 3.5.0 |
1. Watson Machine Learning Accelerator 4.2.0 for IBM Cloud Pak for Data 4.7.2 has addressed the following vulnerabilities:
CVE-2022-41721
CVE-2022-23471
CVE-2022-41724
CVE-2023-24532
CVE-2022-41725
To upgrade from Watson Machine Learning Accelerator 3.5.0 to 4.2.0, follow the documentation here <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.7.x?topic=upgrading-from-cloud-pak-data-version-46>
2. Watson Machine Learning Accelerator 4.8.0 for Cloud Pak for Data 4.8.0 has addressed the following vulnerabilities:
CVE-2022-41725
CVE-2022-41723
To upgrade from Watson Machine Learning Accelerator 3.5.0 to 4.8.0, follow the documentation here <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.8.x?topic=upgrading-from-cloud-pak-data-version-46>
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm watson machine learning accelerator | eq | 3.5.0 |