Lucene search

K
ibmIBM1C293615F842DEB3E9B2F46B4E3B20B17574235DEFB0BAB0EEB69170396954B6
HistoryOct 09, 2023 - 1:41 p.m.

Security Bulletin: Storage Virtualize ansible collection is affected by a vulnerability in the Python Cryptographic Authority package [CVE-2023-38325]

2023-10-0913:41:12
www.ibm.com
18
python cryptographic authority
ansible collection
vulnerability
cve-2023-38325
authentication
red hat
ibm storage virtualize
update
fix
cryptography.

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

31.0%

Summary

The Python Cryptographic Authority package is used by paramiko, a third party library, which is used by Ansible collection for Storage Virtualize for authentication to target systems. This library is vulnerable to CVE-2023-38325.

Vulnerability Details

CVEID:CVE-2023-38325
**DESCRIPTION:**Python Cryptographic Authority cryptography could provide weaker than expected security, caused by an encoding mismatch regarding critical options with OpenSSH. An attacker could exploit this vulnerability to launch further attacks on the system
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260859 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
Red Hat Certified Ansible Collection for IBM Storage Virtualize All

Remediation/Fixes

Update Python to version >= 3.9

Update ibm.storage_virtualize to version >= 2.1.0

Verify that cryptography >= 41.0.3 is installed. It will be installed along with ibm.storage_virtualize level listed above.

Please note that the plugin will still work on Python < 3.9, but it is necessary to update to fix this vulnerability as the fixed version of cryptography is not supported on Python < 3.9

Ansible collection ibm.storage_virtualize (version 2.1.0): <https://github.com/ansible-collections/ibm.storage_virtualize&gt;

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmapplication_support_facilityMatch2.1.0
CPENameOperatorVersion
ibm support for ansibleeq2.1.0

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

31.0%