Security Bulletin: IBM Watson Explorer affected by vulnerability in Apache ZooKeeper.(CVE-2024-23944)

Summary

IBM Watson Explorer Foundational Components contains a vulnerable version of Apache ZooKeeper.(CVE-2024-23944)

Vulnerability Details

CVEID:CVE-2024-23944
**DESCRIPTION:**Apache ZooKeeper could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in persistent watchers handling. By attaching a persistent watcher to a parent, an attacker could exploit this vulnerability to obtain information of the full path of znodes, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285579 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

12.0.0.0, 12.0.0.1

12.0.1,

12.0.2.0 - 12.0.2.2,

12.0.3.0 - 12.0.3.14

IBM Watson Explorer Foundational Components|

11.0.0.0 - 11.0.0.3,
11.0.1,
11.0.2.0 - 11.0.2.18

Remediation/Fixes

Follow these steps to upgrade to the required version of Apache ZooKeeper.

The table reflects product names at the time the specified versions were released. To use the links to Fix Central in this table, you must first log in to the IBM Support: Fix Central site at <http://www.ibm.com/support/fixcentral/&gt;.

12.0.0,

12.0.1,

12.0.2.0 - 12.0.2.2, 12.0.3.0 - 12.0.3.14

|

Upgrade to Version 12.0.3.15.

See Watson Explorer Version 12.0.3.15 Foundational Components for download information and instructions.

IBM Watson Explorer
Foundational Components| 11.0.0.0 - 11.0.0.3,
11.0.1,
11.0.2.0 - 11.0.2.18|

Upgrade to Watson Explorer Foundational Components Version 11.0.2 Fix Pack 19. For information about this version, and links to the software and release notes, see the download document. For information about upgrading, see the upgrade procedures.

Workarounds and Mitigations

None