Lucene search

K
ibmIBM1E526EF1AF9493D4DFD68A54DE20164B19C56298C4825803A217A2A0D1ABCCD7
HistoryFeb 14, 2023 - 10:49 p.m.

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Netty Information Disclosure and Man-in the middle vulnerabilities

2023-02-1422:49:26
www.ibm.com
16

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

1.9 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

11.6%

Summary

Potential vulnerabilities in Netty information disclosure has been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. Refer to details for additional information.

Vulnerability Details

CVEID:CVE-2021-21290
**DESCRIPTION:**Netty could allow a local authenticated attacker to obtain sensitive information, caused by an insecure temp file in Unix-like systems. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/197110 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

**IBM X-Force ID:**221368
**DESCRIPTION:**Netty is vulnerable to a man-in-the-middle attack, caused by improper hostname verification. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221368 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Watson Assistant for IBM Cloud Pak for Data

1.5.0, 4.0.0, 4.0.2, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.5.1, 4.5.3, 4.6

Remediation/Fixes

For all affected versions, IBM strongly recommends addressing the vulnerability now by upgrading to the latest (v4.6.2) release of IBM Watson Assistant for IBM Cloud Pak for Data which maintains backward compatibility with the versions listed above.

Product Latest Version Remediation/Fix/Instructions
IBM Watson Assistant for IBM Cloud Pak for Data 4.6.2

Follow instructions for Installing Watson Assistant in Link to Release (v4.6.2 release information)

<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x&gt;

Workarounds and Mitigations

None

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

1.9 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

11.6%

Related for 1E526EF1AF9493D4DFD68A54DE20164B19C56298C4825803A217A2A0D1ABCCD7