Lucene search

K
ibmIBM5E4FC19FD282AE6A8A67633156FFFDFC796C25463008CE087DA606D3E7689E39
HistoryJan 31, 2024 - 1:45 p.m.

Security Bulletin: IBM Watson AI Gateway for IBM Cloud Pak for Data is vulnerable to Node.js semver package denial of service vulnerabilitiy [ CVE-2022-25883]

2024-01-3113:45:04
www.ibm.com
8
ibm
watson ai gateway
cloud pak for data
vulnerability
node.js
denial of service
cve-2022-25883
ibm cloud
upgrade

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

42.1%

Summary

Potential Node.js semver package denial of service vulnerabilitiy have been identified that may affect IBM Watson AI Gateway for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. [ CVE-2022-25883

Vulnerability Details

CVEID:CVE-2022-25883
**DESCRIPTION:**Node.js semver package is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the new Range function. By providing specially crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
Watson AI Gateway for CP4D All

Remediation/Fixes

For all affected versions, IBM strongly recommends addressing the vulnerability now by upgrading to the latest (v4.7.4 or later releases) release of IBM Watson Assistant for IBM Cloud Pak for Data which maintains backward compatibility with the versions listed above.

Product Latest Version Remediation/Fix/Instructions
IBM Watson AI Gateway for IBM Cloud Pak for Data 4.7.4

Follow instructions for Installing in Link below (v4.7.4 release information)

<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.7.x&gt;

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmwatson_cp4d_data_storesMatchany
CPENameOperatorVersion
watson ai gateway for cp4deqany

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

42.1%