Lucene search

K
ibmIBM26E94181157048066C185B8E1383FB2DEC9E7BE9253ABF78196135E279175991
HistoryJun 28, 2023 - 8:13 p.m.

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in cURL libcur ( CVE-2023-23916)

2023-06-2820:13:51
www.ibm.com
25
ibm watson
cloud pak for data
vulnerability
curl libcur
cve-2023-23916
upgrading
version 4.7

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

AI Score

7.6

Confidence

High

EPSS

0.002

Percentile

55.4%

Summary

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in cURL libcur, caused by a flaw in the decompression chain implementation ( CVE-2023-23916). cURL libcur is included as part of the base OS used by our speech services. This vulnerabilitiy has been addressed. Please read the details for remediation below.

Vulnerability Details

**CVEID:**CVE-2023-23916 DESCRIPTION: cURL libcurl is vulnerable to a denial of service, caused by a flaw in the decompression chain implementation. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause memory errors, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247437 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data 4.0.0 - 4.6.6

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

Product(s)|**Version(s)
|Remediation/Fix/Instructions
—|—|—
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data| 4.7| The fix in 4.7 applies to all versions listed (4.0.0-4.6.6). Version 4.7 can be downloaded and installed from: https://www.ibm.com/docs/en/cloud-paks/cp-data
**

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmibm_speech_to_text_for_ibm_cloudMatch4.0.0
OR
ibmibm_speech_to_text_for_ibm_cloudMatch4.6.6
VendorProductVersionCPE
ibmibm_speech_to_text_for_ibm_cloud4.0.0cpe:2.3:a:ibm:ibm_speech_to_text_for_ibm_cloud:4.0.0:*:*:*:*:*:*:*
ibmibm_speech_to_text_for_ibm_cloud4.6.6cpe:2.3:a:ibm:ibm_speech_to_text_for_ibm_cloud:4.6.6:*:*:*:*:*:*:*

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

AI Score

7.6

Confidence

High

EPSS

0.002

Percentile

55.4%