Lucene search

IBM6C2CD836C8803E429B442ABD7452FC4EB3DBD559D22D6177037208BD7B434947

HistoryDec 18, 2019 - 5:54 p.m.

Security Bulletin: Multiple Vulnerabilities in GnuTLS affects IBM Watson Studio Local

2019-12-1817:54:07

www.ibm.com

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

JSON

Summary

Multiple Vulnerabilities in GnuTLS affects IBM Watson Studio Local

Vulnerability Details

CVEID:CVE-2018-10844
**DESCRIPTION:**It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/148731 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2018-10845
**DESCRIPTION:**It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/148730 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2018-10846
**DESCRIPTION:**A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of “Just in Time” Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/148725 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Watson Studio - Local	1.2.3

Remediation/Fixes

Product	VRMF	Remediation/First Fix
IBM Watson Studio Local	2.1	<https://www.ibm.com/software/passportadvantage/pao_customer.html>
IBM Cloud Pak for Data	2.5	<https://www.ibm.com/software/passportadvantage/pao_customer.html>

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm watson studio localeq1.2.3

CPE	Name	Operator	Version
	ibm watson studio local	eq	1.2.3

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

JSON

Related for 6C2CD836C8803E429B442ABD7452FC4EB3DBD559D22D6177037208BD7B434947