Lucene search

K
ibmIBM1D6A751D3FBF867BD6DE6A730DF1BEA17D885CD06BA03BEA11488BC58110D94F
HistoryJan 18, 2024 - 9:15 p.m.

Security Bulletin: IBM Storage Ceph is vulnerable to Uncontrolled Resource Consumption in Grafana (CVE-2023-44487)

2024-01-1821:15:03
www.ibm.com
19
ibm storage ceph
grafana
denial of service
http/2
resource consumption
vulnerability
upgrade

AI Score

9.4

Confidence

High

EPSS

0.708

Percentile

98.1%

Summary

Grafana is used by IBM Storage Ceph for visualization of metrics. CVE-2023-44487 This bulletin identifies the steps to take to address the vulnerability in Grafana.

Vulnerability Details

CVEID:CVE-2023-44487
**DESCRIPTION:**Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. By sending numerous HTTP/2 requests and RST_STREAM frames over multiple streams, a remote attacker could exploit this vulnerability to cause a denial of service due to server resource consumption.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268044 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Storage Ceph <6.1z3
IBM Storage Ceph 5.3z1-z5

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.
Download the latest version of IBM Storage Ceph and upgrade to 6.1z3 by following instructions.

<https://public.dhe.ibm.com/ibmdl/export/pub/storage/ceph/&gt;
<https://www.ibm.com/docs/en/storage-ceph/6?topic=upgrading&gt;

Workarounds and Mitigations

None

AI Score

9.4

Confidence

High

EPSS

0.708

Percentile

98.1%