Security Bulletin: Multiple Vulnerabilities in Golang affect IBM Cloud Pak System

Summary

Vulnerabilities in Golang Go affect IBM Cloud Pak System.

Vulnerability Details

CVEID:CVE-2023-29409
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw. By persuading a victim to use a specially crafted certificate with large RSA keys, an remote attacker could exploit this vulnerability to cause a client/server to expend significant CPU time verifying signatures, and results in a denial of service condition.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262400 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-39325
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw in the net/http and x/net/http2 packages. By sending specially crafted requests using HTTP/2 client, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268645 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

For unsupported or end of life release recommendation is to upgrade to supported fixed release of the product.
In response to vulnerabilities in Golang Go Cloud Pak System provides Cloud Pak System v2.3.3.7 Interim Fix 1.

For IBM Cloud Pak System v2.3.1.1, v2.3.2.0
upgrade to IBM Cloud Pak System v2.3.3.7 and apply IBM Cloud Pak System v2.3.3.7 Interim Fix 1 at Fix Central.

Information on upgrading available at <https://www.ibm.com/support/pages/node/6982511&gt;

For IBM Cloud Pak System V2.3.3.7,
Apply Cloud Pak System V2.3.3.7 Interim Fix 1 at Fix Central.
information on upgrading available at <https://www.ibm.com/support/pages/node/7045078&gt;

Workarounds and Mitigations

None