Lucene search

IBM6BFF2F7D47BEB5AAD519E86E0FF790AFC72EDB0265341A03D475E407CEF9931B

HistoryMay 25, 2023 - 4:58 p.m.

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a heap-based buffer overflow in Perl (CVE-2020-10543)

2023-05-2516:58:12

www.ibm.com

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

0.003 Low

EPSS

Percentile

69.6%

JSON

Summary

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a heap-based buffer overflow in Perl, caused by an integer overflow in the nested regular expression quantifiers. (CVE-2020-10543). Perl is included as part of the base OS used by our service components. This vulnerabilitiy has been addressed. Please read the details for remediation below.

Vulnerability Details

CVEID:CVE-2020-10543
**DESCRIPTION:**Perl is vulnerable to a heap-based buffer overflow, caused by an integer overflow in the nested regular expression quantifiers. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183203 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data	4.0.0 - 4.6.4

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

Affected Product(s)	Version(s)	Remediation/Fix/Instructions
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data	4.6.5	The fix in 4.6.5 applies to all versions listed (4.0.0-4.6.4). Version 4.6.5 can be downloaded and installed from: **
<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=installing>
**

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm speech to text for ibm cloudeq4.0.0
ibm speech to text for ibm cloudeq4.6.4

CPE	Name	Operator	Version
	ibm speech to text for ibm cloud	eq	4.0.0
	ibm speech to text for ibm cloud	eq	4.6.4

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

0.003 Low

EPSS

Percentile

69.6%

JSON

Related for 6BFF2F7D47BEB5AAD519E86E0FF790AFC72EDB0265341A03D475E407CEF9931B