Lucene search

K
ibmIBM73D612A311806E111015F2B9E8E022D54AAEEAE7E6FFF6CD66FAECBBDAF7CE69
HistoryJan 05, 2023 - 1:12 p.m.

Security Bulletin: Operations Dashboard is vulnerable to multiple Go CVEs

2023-01-0513:12:19
www.ibm.com
33
operations dashboard
go cves
denial of service
input validation
query parameter smuggling
memory exhaustion

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.7

Confidence

High

EPSS

0.002

Percentile

62.1%

Summary

Operations Dashboard is vulnerable to multiple Go CVEs with details below

Vulnerability Details

**CVEID:**CVE-2022-32149 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by improper input validation by the golang.org/x/text/language package. By sending a specially-crafted Accept-Language header, a remote attacker could exploit this vulnerability to cause ParseAcceptLanguage to take significant time to parse, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238605 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2022-2880 DESCRIPTION: Golang Go could allow a remote attacker to conduct query parameter smuggling, caused by the inclusion of unparseable parameters rejected by net/http in requests forwarded by ReverseProxy. An attacker could exploit this vulnerability to conduct query parameter smuggling.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240561 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

**CVEID:**CVE-2022-2879 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by the failure to set a limit on the maximum size of file headers by Reader.Read. By using a specially crafted archive, a remote attacker could exploit this vulnerability to exhaust all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240560 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2022-41715 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by the compilation of regular expressions from untrusted sources. A remote attacker could exploit this vulnerability to exhaust all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240559 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product Version(s)
Operations Dashboard 2020.4
2021.1
2021.2
2021.3
2021.4
2022.2

Remediation/Fixes

Operations Dashboard in IBM Cloud Pak for Integration
Upgrade Operations Dashboard to 2022.2.1-6-lts using the Operator upgrade process described in the IBM Documentation
https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.2?topic=capabilities-upgrading-integration-tracing

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmoperations_dashboardMatch2020.42021.12021.22021.32021.42022.2
VendorProductVersionCPE
ibmoperations_dashboard2020.42021.12021.22021.32021.42022.2cpe:2.3:a:ibm:operations_dashboard:2020.42021.12021.22021.32021.42022.2:*:*:*:*:*:*:*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.7

Confidence

High

EPSS

0.002

Percentile

62.1%