Lucene search

IBM193D10E7FFFC7AC8C97C5DF3284D13D48B85CB304F14EA45ACA555B230E725E1

HistoryAug 29, 2024 - 6:59 p.m.

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Nginx

2024-08-2918:59:55

www.ibm.com

ibm watson discovery

ibm cloud pak for data

nginx vulnerability

upgrade

version 4.8.6

version 5.0.1

no workarounds

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

AI Score

7.7

Confidence

High

JSON

Summary

IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Nginx

Vulnerability Details

CVEID:CVE-2024-32760
**DESCRIPTION:**F5 NGINX Plus and NGINX Open Source are vulnerable to a denial of service, caused by a flaw when configured to use the HTTP/3 QUIC module. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause NGINX worker processes to terminate or cause other potential impact.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292591 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)

CVEID:CVE-2024-34161
**DESCRIPTION:**F5 NGINX Plus and NGINX Open Source could allow a remote attacker to obtain sensitive information, caused by a flaw when configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain previously freed memory information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292592 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2024-35200
**DESCRIPTION:**F5 NGINX Plus and NGINX Open Source is vulnerable to a denial of service, caused by a flaw when configured to use the HTTP/3 QUIC module. By sending specially crafted HTTP/3 requests, a remote attacker could exploit this vulnerability to cause NGINX worker processes to terminate.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292593 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2024-31079
**DESCRIPTION:**F5 NGINX Plus and NGINX Open Source is vulnerable to a denial of service, caused by a flaw when configured to use the HTTP/3 QUIC module. By sending specially crafted HTTP/3 requests, a remote attacker could exploit this vulnerability to cause NGINX worker processes to terminate or other potential impact.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292596 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
ICP - Discovery

4.0.0-4.8.5

ICP - Discovery

5.0.0

Remediation/Fixes

Upgrade to IBM Watson Discovery 4.8.6 or 5.0.1

<https://cloud.ibm.com/docs/discovery-data?topic=discovery-data-install>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmwatson_discoveryMatch4.0.0

ibmwatson_discoveryMatch4.8.5

ibmwatson_discoveryMatch5.0.0

VendorProductVersionCPE
ibmwatson_discovery4.0.0cpe:2.3:a:ibm:watson_discovery:4.0.0:*:*:*:*:*:*:*
ibmwatson_discovery4.8.5cpe:2.3:a:ibm:watson_discovery:4.8.5:*:*:*:*:*:*:*
ibmwatson_discovery5.0.0cpe:2.3:a:ibm:watson_discovery:5.0.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	watson_discovery	4.0.0	cpe:2.3:a:ibm:watson_discovery:4.0.0:::::::*
ibm	watson_discovery	4.8.5	cpe:2.3:a:ibm:watson_discovery:4.8.5:::::::*
ibm	watson_discovery	5.0.0	cpe:2.3:a:ibm:watson_discovery:5.0.0:::::::*