Lucene search

K
ibmIBM23541D82E64BB597DE3C429F4307418BE18BF85A01DA3AEAB0D932A429AA8863
HistorySep 03, 2024 - 8:23 p.m.

Security Bulletin: Vulnerabilities in Golang Go affect watsonx.data

2024-09-0320:23:08
www.ibm.com
5
golang go
denial of service
vulnerabilities
watsonx.data
ibm
installation
upgrade
cpd 5.0.1

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.6

Confidence

High

EPSS

0.042

Percentile

92.4%

Summary

Golang Go has two denial of service vulnerabilities. These can affect watsonx.data.

Vulnerability Details

**CVEID:**CVE-2022-27664 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a flaw in net/http. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a closing HTTP/2 server connection to hang, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235355 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2022-41723 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a flaw in the HPACK decoder. By sending a specially-crafted HTTP/2 stream, a remote attacker could exploit this vulnerability to cause excessive CPU consumption, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247965 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM watsonx.data 1.1.0 - 2.0.0

Remediation/Fixes

The product needs to be installed or upgraded to the latest available level watsonx.data 2.0.1 or watsonx.data on CPD 5.0.1. Installation/upgrade instructions can be found here: https://www.ibm.com/docs/en/watsonx/watsonxdata/2.0.x?topic=deployment-installing

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmibm_watsonx_subscriptionMatch1.1.0
OR
ibmibm_watsonx_subscriptionMatch2.0.0
VendorProductVersionCPE
ibmibm_watsonx_subscription1.1.0cpe:2.3:a:ibm:ibm_watsonx_subscription:1.1.0:*:*:*:*:*:*:*
ibmibm_watsonx_subscription2.0.0cpe:2.3:a:ibm:ibm_watsonx_subscription:2.0.0:*:*:*:*:*:*:*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.6

Confidence

High

EPSS

0.042

Percentile

92.4%