Lucene search

IBM383874BB3B4AC53D1720596B6F1CA4738788363F074EB403DD88CC56A6AEE5F9

HistoryAug 03, 2024 - 3:51 a.m.

Security Bulletin: Vulnerabilities in Jackson affect Cloud Pak System [CVE-2023-3894, 256137]

2024-08-0303:51:30

www.ibm.com

jackson

cloud pak system

denial of service

ibm

vulnerabilities

upgrade

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

45.3%

JSON

Summary

Vulnerabilities in Jackson affect Cloud Pak System.

Vulnerability Details

CVEID:CVE-2023-3894
**DESCRIPTION:**FasterXML jackson-dataformats-text is vulnerable to a denial of service, caused by a stackoverflow parsing TOML data. By sending a specially crafted TOML data, a remote attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.
CVSS Base score: 5.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/263144 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L)

**IBM X-Force ID:**256137
**DESCRIPTION:**FasterXML Jackson Core is vulnerable to a denial of service, caused by improper input validation by the StreamReadConstraints value field. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256137 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Remediation/Fixes

For unsupported versions the recommendation is to upgrade to supported version of the product.

This security bulletin applies to Cloud Pak System, Cloud Pak System Software, Cloud Pak System Software Suite.

IBM strongly recommends addressing the vulnerability now by applying the fix below.

For IBM Cloud Pak System v2.3.1.1, v2.3.2.0

upgrade to Cloud Pak System v2.3.3.7 , then apply Cloud Pak System v2.3.3.7 Interim Fix 1

Information on upgrading to Cloud Pak System v.2.3.3.7 at https://www.ibm.com/support/pages/node/6982511

For Cloud Pak System V2.3.3.7, apply Cloud Pak System V2.3.3.7 Interim Fix 1.

Information on upgrading to Cloud Pak System v.2.3.3.7 Interim Fix 1 at <https://www.ibm.com/support/pages/node/7045078>

For Cloud Pak System for Intel

Upgrade to Cloud Pak System v2.3.4.0 at Fix Central

Information on upgrading here <http://www.ibm.com/support/docview.wss?uid=ibm10887959>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmcloud_pak_systemMatch2.3

VendorProductVersionCPE
ibmcloud_pak_system2.3cpe:2.3:a:ibm:cloud_pak_system:2.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	cloud_pak_system	2.3	cpe:2.3:a:ibm:cloud_pak_system:2.3:::::::*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

45.3%

JSON

Related for 383874BB3B4AC53D1720596B6F1CA4738788363F074EB403DD88CC56A6AEE5F9