Lucene search

K
ibmIBM409DF2711692CAF64DCFEB080089E7540C86BEA4E0C035CBDAA6B7A478F9AC90
HistoryMay 08, 2024 - 9:39 a.m.

Security Bulletin: IBM Observability with Instana is affected by Multiple Security Vulnerabilities

2024-05-0809:39:44
www.ibm.com
20
ibm observability
instana
multiple vulnerabilities
openssl
bouncy castle
denial of service
libexpat
xml external entity
docker-based installation

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.5

Confidence

High

EPSS

0.001

Percentile

44.3%

Summary

Multiple vulnerabilities were remediated in IBM Observability with Instana build 271

Vulnerability Details

**CVEID:**CVE-2023-5363 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an incorrect cipher key and IV length processing during the initialisation of some symmetric ciphers. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269418 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2023-33202 DESCRIPTION: Bouncy Castle for Java is vulnerable to a denial of service, caused by a flaw in the org.bouncycastle.openssl.PEMParser class. By sending a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/272463 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-28757 DESCRIPTION: libexpat could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the XML_ExternalEntityParserCreate function. By using a specially crafted XML content, a remote attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285604 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Observability with Instana (OnPrem) Build 257 to 270

Remediation/Fixes

Update your existing Docker-based installation of IBM Observability with Instana (OnPrem) as described here:
https://www.ibm.com/docs/en/instana-observability/current

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmobservability_with_instanaMatch257
OR
ibmobservability_with_instanaMatch270
VendorProductVersionCPE
ibmobservability_with_instana257cpe:2.3:a:ibm:observability_with_instana:257:*:*:*:*:*:*:*
ibmobservability_with_instana270cpe:2.3:a:ibm:observability_with_instana:270:*:*:*:*:*:*:*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.5

Confidence

High

EPSS

0.001

Percentile

44.3%