Lucene search

K
ibmIBM64990A9FB6B7236B4ED85D724F1147C602BF5A02973B27E9FB3D61D8AA4823FA
HistorySep 21, 2023 - 3:28 p.m.

Security Bulletin: Vulnerability in node.js package may affect IBM Storage Scale GUI (CVE-2022-25883)

2023-09-2115:28:31
www.ibm.com
21
vulnerability
node.js
ibm storage scale
gui
cve-2022-25883
denial of service
fix
ibm spectrum scale
versions

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

51.1%

Summary

There is a vulnerability in node.js package, used by IBM Storage Scale GUI. Fix for this issue is available in all versions.

Vulnerability Details

CVEID:CVE-2022-25883
**DESCRIPTION:**Node.js semver package is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the new Range function. By providing specially crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258647 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Storage Scale 5.1.0.0 - 5.1.2.12
IBM Storage Scale 5.1.3.0 - 5.1.8.1

Remediation/Fixes

For IBM Spectrum Scale V5.1.0.0 through V5.1.2.12, apply V5.1.2.13 available from FixCentral at:

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=5.1.2&platform=All&function=all

For IBM Spectrum Scale V5.1.3.0 through V5.1.8.1, apply V5.1.8.2 available from FixCentral at:

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Storage+Scale&release=5.1.8&platform=All&function=all

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmscale_out_network_attached_storageMatch5.1.
CPENameOperatorVersion
ibm storage scaleeq5.1.

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

51.1%