Lucene search

K
ibmIBM317F6108409FB3412E94D0A0971CBF2EF7D0E9E7971F32E418BDAC7637A219B4
HistoryAug 05, 2024 - 10:03 p.m.

Security Bulletin: IBM Storage Ceph is vulnerable to Improper Restriction of Operations within the Bounds of a Memory Buffer in the RHEL UBI (CVE-2023-39615)

2024-08-0522:03:30
www.ibm.com
13
ibm storage ceph
buffer overflow
rhel ubi
cve-2023-39615
xmlsoft libxml2
denial of service
ibm
upgrade

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

27.8%

Summary

RHEL UBI is used by IBM Storage Ceph as the base operating system. This bulletin identifies the steps to take to address the vulnerability in the RHEL UBI. CVE-2023-39615.

Vulnerability Details

**CVEID:**CVE-2023-39615 DESCRIPTION: Xmlsoft Libxml2 is vulnerable to a denial of service, caused by a global buffer overflow in the xmlSAX2StartElement() function at /libxml2/SAX2.c. By supplying a crafted XML file, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264758 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Storage Ceph 7.0
IBM Storage Ceph 6.1z1-z3, 6.0
IBM Storage Ceph 5.3z1-z5

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.
Download the latest version of IBM Storage Ceph and upgrade to 7.0z1 or later by following instructions.

https://public.dhe.ibm.com/ibmdl/export/pub/storage/ceph/
https://www.ibm.com/docs/en/storage-ceph/7?topic=upgrading

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmstorage_cephMatch7.0
OR
ibmstorage_cephMatch6.1
OR
ibmstorage_cephMatch1
OR
ibmstorage_cephMatch3
OR
ibmstorage_cephMatch6.0
OR
ibmstorage_cephMatch5.3
OR
ibmstorage_cephMatch1
OR
ibmstorage_cephMatch5
VendorProductVersionCPE
ibmstorage_ceph7.0cpe:2.3:a:ibm:storage_ceph:7.0:*:*:*:*:*:*:*
ibmstorage_ceph6.1cpe:2.3:a:ibm:storage_ceph:6.1:*:*:*:*:*:*:*
ibmstorage_ceph1cpe:2.3:a:ibm:storage_ceph:1:*:*:*:*:*:*:*
ibmstorage_ceph3cpe:2.3:a:ibm:storage_ceph:3:*:*:*:*:*:*:*
ibmstorage_ceph6.0cpe:2.3:a:ibm:storage_ceph:6.0:*:*:*:*:*:*:*
ibmstorage_ceph5.3cpe:2.3:a:ibm:storage_ceph:5.3:*:*:*:*:*:*:*
ibmstorage_ceph5cpe:2.3:a:ibm:storage_ceph:5:*:*:*:*:*:*:*

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

27.8%