IBM6E38D6332AF29471D8A0339D9060324EA35163FC6A3B4B0FBAE3C735AC1FD0F4Security Bulletin: Denial of service and password enumeration might affect IBM Storage Defender – Resiliency Service
6.5 Medium
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%
Summary
IBM Storage Defender – Resiliency Service is vulnerable and can result in data confidentiality and service availabilty issues. The vulnerabilities have been addressed. CVE-2023-45288, CVE-2024-25031, CVE-2024-38322, CVE-2024-33883.
Vulnerability Details
CVEID:CVE-2023-45288
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a memory exhaustion flaw due to flood of CONTINUATION frames in the HTTP/2 protocol stack in the net/http and x/net/http2 packages. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286962 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2024-25031
**DESCRIPTION:**IBM Storage Defender - Resiliency Service uses an inadequate account lockout setting that could allow an attacker on the network to brute force account credentials.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/281678 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2024-38322
**DESCRIPTION:**IBM Storage Defender agent username and password error response discrepancy exposes product to brute force enumeration.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/294869 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2024-33883
**DESCRIPTION:**Node.js ejs module is vulnerable to a denial of service, caused by a prototype pollution flaw. By adding or modifying properties of Object.prototype using a proto or constructor payload, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/289643 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Storage Defender - Resiliency Service | 2.0.0-2.0.4 |
Remediation/Fixes
The Connection Manager included with Defender 2.0.5 and newer provides the fixes. If using a version of the Connection Manager obtained from Defender 2.0.0 - 2.0.4 IBM strongly recommends upgrading. Instructions for upgrading can be found here.
Workarounds and Mitigations
None
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm storage defender | eq | 2.0.5 |
Related
6.5 Medium
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%