Security Bulletin: Vulnerabilities in libcurl may affect IBM Spectrum Copy Data Management (CVE-2022-32206, CVE-2022-32208)

Summary

Vulnerabilities in libcurl such as denial of service and man-in-the-middle attacks may affect IBM Spectrum Copy Data Management.

Vulnerability Details

CVEID:CVE-2022-32206
**DESCRIPTION:**cURL libcurl is vulnerable to a denial of service, caused by a flaw in the number of acceptable “links” in the “chained” HTTP compression algorithms. By persuading a victim to connect a specially-crafted server, a remote attacker could exploit this vulnerability to insert a virtually unlimited number of compression steps, and results in a denial of service condition.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229740 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-32208
**DESCRIPTION:**cURL libcurl is vulnerable to a man-in-the-middle attack, caused by a flaw in the handling of message verification failures. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to inject data to the client…
CVSS Base score: 3.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229742 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

IBM Spectrum Copy Data Management Affected Versions

|

Fixing Level

|

Platform

|

Link to Fix and Instructions

—|—|—|—

2.2.0.0-2.2.16.0

|

2.2.17

|

Linux

|

<https://www.ibm.com/support/pages/node/6615291&gt;

Workarounds and Mitigations

None