Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server Liberty may affect IBM Storage Scale (CVE-2023-46158, CVE-2023-44487)

Summary

There are vulnerabilities in IBM WebSphere Application Server Liberty, used by IBM Storage Scale, which could provide weaker than expected security due to improper resource expiration handling.

Vulnerability Details

CVEID:CVE-2023-46158
**DESCRIPTION:**IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide weaker than expected security due to improper resource expiration handling. IBM X-Force ID: 268775.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268775 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2023-44487
**DESCRIPTION:**Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. By sending numerous HTTP/2 requests and RST_STREAM frames over multiple streams, a remote attacker could exploit this vulnerability to cause a denial of service due to server resource consumption.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268044 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

For IBM Storage Scale V5.1.0.0 through V5.1.2.14, apply V5.1.2.15 or later available from FixCentral at:

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Power%20HPC%20Stack&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=5.1.2&platform=All&function=all

For IBM Storage Scale V5.1.3.0 through V5.1.9.1, apply V5.1.9.2 or later available from FixCentral at:

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Storage+Scale&release=5.1.9&platform=All&function=all

Workarounds and Mitigations

None