Lucene search

IBM2689F99C5550923992E794F95F085E5E647AC48BB4C3A6245C57D4335EF0ED02

HistoryJun 21, 2024 - 2:39 p.m.

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple vulnerabilities in Node.js ( CVE-2023-44487, CVE-2023-45143 )

2024-06-2114:39:01

www.ibm.com

ibm watson assistant

cloud pak for data

node.js

vulnerabilities

cve-2023-44487

cve-2023-45143

denial of service

remote attack

security advisory

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.6 High

AI Score

Confidence

Low

0.732 High

EPSS

Percentile

98.1%

JSON

Summary

Potential vulnerabilities in Node.js related to the VM component ( CVE-2023-44487, CVE-2023-45143 ) has been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability has been addressed. Refer to details for additional information.

Vulnerability Details

CVEID:CVE-2023-44487
**DESCRIPTION:**Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. By sending numerous HTTP/2 requests and RST_STREAM frames over multiple streams, a remote attacker could exploit this vulnerability to cause a denial of service due to server resource consumption.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268044 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-45143
**DESCRIPTION:**Node.js undici module could allow a remote authenticated attacker to obtain sensitive information, caused by the failure to clear cookie header on cross-origin redirect in fetch. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to obtain cookie header information, and use this information to launch further attacks against the affected system.
CVSS Base score: 3.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268649 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L)

Affected Products and Versions

Affected Product(s)	Affected Version(s)
IBM Watson Assistant for IBM Cloud Pak for Data	4.0.0 - 4.8.5

Remediation/Fixes

For all affected versions, IBM strongly recommends addressing the vulnerability now by upgrading to the latest (v5.0 or later releases) release of IBM Watson Assistant for IBM Cloud Pak for Data which maintains backward compatibility with the versions listed above.

Product Latest Version	Remediation/Fix/Instructions
IBM Watson Assistant for IBM Cloud Pak for Data 5.0

Follow instructions for Installing Watson Assistant in Link to Release (v5.0 release information)

<https://www.ibm.com/docs/en/cloud-paks/cp-data/5.0.x>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmwatson_assistant_for_ibm_cloud_pak_for_dataRange4.0.0≥

ibmwatson_assistant_for_ibm_cloud_pak_for_dataRange≤4.8.5

CPENameOperatorVersion
ibm watson assistant for ibm cloud pak for datage4.0.0
ibm watson assistant for ibm cloud pak for datale4.8.5

CPE	Name	Operator	Version
	ibm watson assistant for ibm cloud pak for data	ge	4.0.0
	ibm watson assistant for ibm cloud pak for data	le	4.8.5

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.6 High

AI Score

Confidence

Low

0.732 High

EPSS

Percentile

98.1%

JSON

Related for 2689F99C5550923992E794F95F085E5E647AC48BB4C3A6245C57D4335EF0ED02