Security Bulletin: Storage Virtualize ansible collection is affected by a vulnerability in the Python Cryptographic Authority package [CVE-2023-38325]

Summary

The Python Cryptographic Authority package is used by paramiko, a third party library, which is used by Ansible collection for Storage Virtualize for authentication to target systems. This library is vulnerable to CVE-2023-38325.

Vulnerability Details

CVEID:CVE-2023-38325
**DESCRIPTION:**Python Cryptographic Authority cryptography could provide weaker than expected security, caused by an encoding mismatch regarding critical options with OpenSSH. An attacker could exploit this vulnerability to launch further attacks on the system
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260859 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

Update Python to version >= 3.9

Update ibm.storage_virtualize to version >= 2.1.0

Verify that cryptography >= 41.0.3 is installed. It will be installed along with ibm.storage_virtualize level listed above.

Please note that the plugin will still work on Python < 3.9, but it is necessary to update to fix this vulnerability as the fixed version of cryptography is not supported on Python < 3.9

Ansible collection ibm.storage_virtualize (version 2.1.0): <https://github.com/ansible-collections/ibm.storage_virtualize&gt;

Workarounds and Mitigations

None