IBM29F555FE0C007641F374A2C889492591D81568655082EAB6C7D0BA3A429C7001Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to urllib3 for python man-in-the-middle and security bypass vulnerabilities( CVE-2021-3572,CVE-2021-28363,)
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
48.5%
Summary
Potential urllib3 for python man-in-the-middle and security bypass vulnerabilities( CVE-2021-28363, CVE-2021-3572) has been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. Refer to details for additional information.
Vulnerability Details
CVEID:CVE-2021-28363
**DESCRIPTION:**urllib3 for python is vulnerable to a man-in-the-middle attack, caused by improper certificate validation in some cases involving HTTPS to HTTPS proxies. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198199 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N)
CVEID:CVE-2021-3572
**DESCRIPTION:**pip package for python could allow a remote authenticated attacker to bypass security restrictions, caused by the improper handling of Unicode separators in git references. By creating a specially crafted tag, an attacker could exploit this vulnerability to install a different revision on a repository.
CVSS Base score: 4.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208954 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Watson Assistant for IBM Cloud Pak for Data | 4.0.2, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.5.1, 4.5.3, 4.6. 4.6.2, 4.6.3 |
Remediation/Fixes
For all affected versions, IBM strongly recommends addressing the vulnerability now by upgrading to the latest (v4.7.0 or later releases) release of IBM Watson Assistant for IBM Cloud Pak for Data which maintains backward compatibility with the versions listed above.
| Product Latest Version | Remediation/Fix/Instructions |
|---|---|
| IBM Watson Assistant for IBM Cloud Pak for Data 4.7.0 |
Follow instructions for Installing Watson Assistant in Link to Release (v4.7.0 release information)
<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.7.x>
Workarounds and Mitigations
None
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
48.5%