Lucene search

K
ibmIBM03D4623E3D8862AF443235CDCC3FF48B44D4AC2BB513EDEAF6BD19A4A3E18EC5
HistoryNov 30, 2023 - 6:53 p.m.

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to weakened security in Python Cryptographic Authority [CVE-2023-38325]

2023-11-3018:53:04
www.ibm.com
7
ibm watson
speech services
vulnerable
python cryptographic authority
cve-2023-38325
ibm cloud pak
data
weakness
security fix
openssh
encryption
version 4.8.

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

6.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.0%

Summary

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to weakened security in Python Cryptographic Authority, caused by an encoding mismatch regarding critical options with OpenSSH [CVE-2023-38325]. Python Cryptographic Authority is used for cryptography in our our Speech Service runtimes. This vulnerabilitiy has been addressed. Please read the details for remediation below.

Vulnerability Details

CVEID:CVE-2023-38325
**DESCRIPTION:**Python Cryptographic Authority cryptography could provide weaker than expected security, caused by an encoding mismatch regarding critical options with OpenSSH. An attacker could exploit this vulnerability to launch further attacks on the system
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260859 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data 4.0.0 - 4.7.4

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

Product(s)|**Version(s)
**|Remediation/Fix/Instructions
—|—|—
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data| 4.8| The fix in 4.8 applies to all versions listed (4.0.0-4.7.4). Version 4.8 can be downloaded and installed from: <https://www.ibm.com/docs/en/cloud-paks/cp-data&gt;

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmwatson_assistant_for_ibm_cloud_pak_for_dataMatch4.0.0
OR
ibmwatson_assistant_for_ibm_cloud_pak_for_dataMatch4.7.4

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

6.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.0%