Lucene search

IBM117F7AD12A414B2429413FA6893B5867E18F562B58DF51087AD2611004A9256B

HistoryAug 29, 2024 - 5:43 p.m.

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Base OS issues

2024-08-2917:43:25

www.ibm.com

ibm watson speech

cloud pak

base os

oracle java

graalvm

unspecified vulnerabilities

cve-2023-21930

cve-2023-21937

cve-2023-21938

cve-2023-21939

cve-2023-21954

cve-2023-21967

cve-2024-35326

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.4

Confidence

High

JSON

Summary

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Base OS issues. We have updated the base image used by our Speech Services and the following vulnerabilities have been addressed. Please read the details for remediation below.

Vulnerability Details

CVEID:CVE-2023-21930
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause high confidentiality impact and high integrity impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253115 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2023-21937
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Networking component could allow a remote attacker to cause integrity impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253167 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-21938
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Libraries component could allow a remote attacker to cause integrity impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253155 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-21939
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Swing component could allow a remote attacker to cause integrity impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253168 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-21954
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Hotspot component could allow a remote attacker to cause high confidentiality impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253166 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-21967
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow a remote attacker to cause high availability impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253156 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-35326
**DESCRIPTION:**The YAML Project LibYAML is vulnerable to a buffer overflow, caused by improper bounds checking by the function yaml_emitter_emit of the file /src/libyaml/src/emitter.c. By sending a specially crafted request, a remote attacker could overflow a buffer, triggering a double-free vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/294972 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2024-35328
**DESCRIPTION:**The YAML Project LibYAML is vulnerable to a distributed denial of service, caused by an derror in the function yaml_parser_parse of the file /src/libyaml/src/parser.c. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/294971 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data	4.0.0 - 5.0.0

Remediation/Fixes

Product(s)	Version(s)	Remediation/Fix/Instructions
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data	5.0.2	The fix in 5.0.2 applies to all versions listed (4.0.0-5.0.1). Version 5.0.2 can be downloaded and installed from: <https://www.ibm.com/docs/en/cloud-paks/cp-data>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmwatson_assistant_for_ibm_cloud_pak_for_dataMatch4.0.0

ibmwatson_assistant_for_ibm_cloud_pak_for_dataMatch5.0.1

VendorProductVersionCPE
ibmwatson_assistant_for_ibm_cloud_pak_for_data4.0.0cpe:2.3:a:ibm:watson_assistant_for_ibm_cloud_pak_for_data:4.0.0:*:*:*:*:*:*:*
ibmwatson_assistant_for_ibm_cloud_pak_for_data5.0.1cpe:2.3:a:ibm:watson_assistant_for_ibm_cloud_pak_for_data:5.0.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	watson_assistant_for_ibm_cloud_pak_for_data	4.0.0	cpe:2.3:a:ibm:watson_assistant_for_ibm_cloud_pak_for_data:4.0.0:::::::*
ibm	watson_assistant_for_ibm_cloud_pak_for_data	5.0.1	cpe:2.3:a:ibm:watson_assistant_for_ibm_cloud_pak_for_data:5.0.1:::::::*