Lucene search

K
ibmIBM78302667F7DF5AE9F66BDC3DF29965877E21682D4985196267091C9CB8D6BF5A
HistoryMar 31, 2023 - 4:44 p.m.

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security restrictions bypass in Amazon AWS S3 Crypto SDK for GoLang (CVE-2020-8912)

2023-03-3116:44:15
www.ibm.com
12

2.5 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

11.7%

Summary

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security restrictions bypass in Amazon AWS S3 Crypto SDK for GoLang caused by a flaw in the in-band key negotiation. (CVE-2020-8912). Amazon AWS S3 Crypto SDK for GoLang is included as part of the Base OS operators used by our service images. Please read the details for remediation below.

Vulnerability Details

CVEID:CVE-2020-8912
**DESCRIPTION:**Amazon AWS S3 Crypto SDK for GoLang could allow a local authenticated attacker to bypass security restrictions, caused by a flaw in the in-band key negotiation. By sending a specially-crafted request, an attacker could exploit this vulnerability to change the encryption algorithm of an object in the bucket or obtain the authentication key used by AES-GCM.
CVSS Base score: 2.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186760 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data 4.0.0 - 4.6.3

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

Product(s)|**Version(s)
|Remediation/Fix/Instructions
—|—|—
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data| 4.6.4| The fix in 4.6.4 applies to all versions listed (4.0.0-4.6.3). Version 4.6.4 can be downloaded and installed from: **
<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=installing&gt;

Workarounds and Mitigations

None

2.5 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

11.7%

Related for 78302667F7DF5AE9F66BDC3DF29965877E21682D4985196267091C9CB8D6BF5A