Security Bulletin: A vulnerability in OpenStack Swift affects IBM Storage Scale environments with the S3 capability of Object protocol enabled (CVE-2022-47950)

Summary

IBM Storage Scale, shipped with OpenStack Swift, is exposed to vulnerabilities as detailed below. The exposure to this vulnerability only exists if the Object protocol has been configured with S3 enabled.

Vulnerability Details

CVEID:CVE-2022-47950
**DESCRIPTION:**OpenStack Swift could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the S3 XML parser. By using a specially-crafted XML content, a remote attacker could exploit this vulnerability to read arbitrary files from the host server.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244878 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

For IBM Storage Scale V5.1.0.0 through V5.1.2.11, apply V5.1.2.12 available from FixCentral at:
https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=5.1.2&platform=All&function=all

For IBM Storage Scale V5.1.3.0 through V5.1.7.1, apply V5.1.8 available from FixCentral at:
https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=5.1.8&platform=All&function=all

Workarounds and Mitigations

None