Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM7B4A1C183199E25182BD57AF6133DEEE685D37EB4180C890C42C999E8B6DC19C
HistoryJun 19, 2024 - 5:53 p.m.

Security Bulletin: Vulnerabilities in Linux components affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

2024-06-1917:53:41
www.ibm.com
20
ibm storage virtualize
ibm san volume controller
ibm storwize
libssh
nginx
nghttp2
denial of service
authentication bypass

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

9.2

Confidence

High

EPSS

0.816

Percentile

98.4%

JSON

Summary

Vulnerabilities in libssh, nginx and nghttp2 affect IBM Storage Virtualize products and could cause denial of service and bypassing of authentication. CVE-2023-44487, CVE-2023-1667, CVE-2023-2283.

Vulnerability Details

CVEID:CVE-2023-44487
**DESCRIPTION:**Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. By sending numerous HTTP/2 requests and RST_STREAM frames over multiple streams, a remote attacker could exploit this vulnerability to cause a denial of service due to server resource consumption.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268044 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-1667
**DESCRIPTION:**libssh is vulnerable to a denial of service, caused by a NULL pointer dereference during rekeying with algorithm guessing. A remote authenticated attacker could exploit this vulnerability to cause the daemon to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256622 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-2283
**DESCRIPTION:**libssh could allow a remote attacker to bypass security restrictions, caused by a memory allocation flaw in thepki_verify_data_signature function. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the authentication check of the connecting client.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257617 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Storage Virtualize 8.4
IBM Storage Virtualize 8.5
IBM Storage Virtualize 8.6

Remediation/Fixes

IBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, IBM Storwize V5000 and V5100, IBM Storwize V5000E, IBM Spectrum Virtualize Software, IBM Spectrum Virtualize for Public Cloud, IBM FlashSystem V9000, IBM FlashSystem 9500, IBM FlashSystem 9100 Family, IBM FlashSystem 9200, IBM FlashSystem 7300, IBM FlashSystem 7200, IBM FlashSystem 5200 and IBM FlashSystem 5000 to the following code levels or higher:

8.4.0.14

8.5.0.12

8.6.0.4

8.7.0.0

Latest IBM SAN Volume Controller Code
Latest IBM Storwize V7000 Code
Latest IBM Storwize V5000 and V5100 Code
Latest IBM Storwize V5000E Code
Latest IBM FlashSystem V9000 Code
Latest IBM FlashSystem 9500 Code
Latest IBM FlashSystem 9100 Family Code
Latest IBM FlashSystem 9200 Code
Latest IBM FlashSystem 7300 Code
Latest IBM FlashSystem 7200 Code
Latest IBM FlashSystem 5000 and 5200 Code
Latest IBM Spectrum Virtualize Software
Latest IBM Spectrum Virtualize for Public Cloud

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsan_volume_controllerMatch8.4
OR
ibmsan_volume_controllerMatch8.5
OR
ibmsan_volume_controllerMatch8.6
OR
ibmstorwize_v7000Match8.4
OR
ibmstorwize_v7000Match8.5
OR
ibmstorwize_v7000Match8.6
OR
ibmibm_flashsystem_7300Match8.4
OR
ibmibm_flashsystem_7300Match8.5
OR
ibmibm_flashsystem_7300Match8.6
OR
ibmflashsystem_v9000Match8.4
OR
ibmflashsystem_v9000Match8.5
OR
ibmflashsystem_v9000Match8.6
OR
ibmibm_flashsystem_9x00Match8.4
OR
ibmibm_flashsystem_9x00Match8.5
OR
ibmibm_flashsystem_9x00Match8.6
OR
ibmibm_flashsystem_9500Match8.4
OR
ibmibm_flashsystem_9500Match8.5
OR
ibmibm_flashsystem_9500Match8.6
OR
ibmspectrum_virtualize_softwareMatch8.4
OR
ibmspectrum_virtualize_softwareMatch8.5
OR
ibmspectrum_virtualize_softwareMatch8.6
OR
ibmstorwize_v5000Match8.4
OR
ibmstorwize_v5000Match8.5
OR
ibmstorwize_v5000Match8.6
OR
ibmspectrum_virtualize_for_public_cloudMatch8.4
OR
ibmspectrum_virtualize_for_public_cloudMatch8.5
OR
ibmspectrum_virtualize_for_public_cloudMatch8.6
OR
ibmibm_flashsystem_5x00Match8.4
OR
ibmibm_flashsystem_5x00Match8.5
OR
ibmibm_flashsystem_5x00Match8.6
OR
ibmstorwize_v5000e_firmwareMatch8.4
OR
ibmstorwize_v5000e_firmwareMatch8.5
OR
ibmstorwize_v5000e_firmwareMatch8.6
OR
ibmspectrum_virtualize_softwareMatch8.4
OR
ibmspectrum_virtualize_softwareMatch8.5
OR
ibmspectrum_virtualize_softwareMatch8.6
OR
ibmibm_flashsystem_7200Match8.4
OR
ibmibm_flashsystem_7200Match8.5
OR
ibmibm_flashsystem_7200Match8.6
VendorProductVersionCPE
ibmsan_volume_controller8.4cpe:2.3:h:ibm:san_volume_controller:8.4:*:*:*:*:*:*:*
ibmsan_volume_controller8.5cpe:2.3:h:ibm:san_volume_controller:8.5:*:*:*:*:*:*:*
ibmsan_volume_controller8.6cpe:2.3:h:ibm:san_volume_controller:8.6:*:*:*:*:*:*:*
ibmstorwize_v70008.4cpe:2.3:h:ibm:storwize_v7000:8.4:*:*:*:*:*:*:*
ibmstorwize_v70008.5cpe:2.3:h:ibm:storwize_v7000:8.5:*:*:*:*:*:*:*
ibmstorwize_v70008.6cpe:2.3:h:ibm:storwize_v7000:8.6:*:*:*:*:*:*:*
ibmibm_flashsystem_73008.4cpe:2.3:a:ibm:ibm_flashsystem_7300:8.4:*:*:*:*:*:*:*
ibmibm_flashsystem_73008.5cpe:2.3:a:ibm:ibm_flashsystem_7300:8.5:*:*:*:*:*:*:*
ibmibm_flashsystem_73008.6cpe:2.3:a:ibm:ibm_flashsystem_7300:8.6:*:*:*:*:*:*:*
ibmflashsystem_v90008.4cpe:2.3:h:ibm:flashsystem_v9000:8.4:*:*:*:*:*:*:*
Rows per page:
1-10 of 361

Related

osv 24
almalinux 7
nessus 51
redos 2
debian 2
oraclelinux 3
openvas 38
ubuntu 1
ibm 6
mageia 1
slackware 1
rocky 4
fedora 5
redhat 23
cloudfoundry 1
rosalinux 1
gentoo 1
redhatcve 2
ubuntucve 2
debiancve 2
nvd 2
f5 1
cvelist 2
photon 1
prion 2
cve 2
veracode 3
cbl_mariner 8
atlassian 1
osv
osv
libssh vulnerabilities
2023-06-05 14:08:01
Moderate: libssh security update
2023-06-27 00:00:00
Moderate: libssh security update
2023-11-07 00:00:00
almalinux
almalinux
Moderate: libssh security update
2023-11-07 00:00:00
Moderate: libssh security update
2023-06-27 00:00:00
Important: dotnet6.0 security update
2023-10-16 00:00:00
nessus
nessus
EulerOS 2.0 SP9 : libssh (EulerOS-SA-2023-2586)
2023-08-08 00:00:00
Ubuntu 20.04 LTS / 22.04 LTS / 23.04 : libssh vulnerabilities (USN-6138-1)
2023-06-05 00:00:00
Photon OS 5.0: Libssh PHSA-2023-5.0-0089
2024-07-24 00:00:00
redos
redos
ROS-20240329-18
2024-03-29 00:00:00
ROS-20231107-01
2023-11-07 00:00:00
debian
debian
[SECURITY] [DSA 5409-1] libssh security update
2023-05-23 11:50:46
[SECURITY] [DLA 3617-2] tomcat9 regression update
2023-10-16 22:23:23
oraclelinux
oraclelinux
libssh security update
2023-11-11 00:00:00
libssh security update
2023-06-29 00:00:00
.NET 7.0 security update
2023-10-18 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for libssh (EulerOS-SA-2023-2728)
2023-09-11 00:00:00
Fedora: Security Advisory for libssh (FEDORA-2023-5fa5ca2043)
2023-05-30 00:00:00
Huawei EulerOS: Security Advisory for libssh (EulerOS-SA-2023-2959)
2023-10-13 00:00:00
ubuntu
ubuntu
libssh vulnerabilities
2023-06-05 00:00:00
ibm
ibm
Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service and security restriction bypass due to [CVE-2023-2283], [CVE-2023-1667]
2023-07-27 15:40:30
Security Bulletin: Vulnerabilities in libssh library (CVE-2023-1667, CVE-2023-2283 ) affect Power HMC
2024-04-16 16:54:11
Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to libssh security bypass vulnerabilitiy [ CVE-2023-2283]
2024-01-31 13:26:00
mageia
mageia
Updated libssh packages fix security vulnerability
2023-05-21 11:42:44
slackware
slackware
[slackware-security] libssh
2023-05-04 19:11:18
rocky
rocky
libssh security update
2023-07-08 02:54:11
nodejs security update
2023-10-24 18:36:46
varnish security update
2023-10-24 18:36:42
fedora
fedora
[SECURITY] Fedora 37 Update: libssh-0.10.5-1.fc37
2023-05-28 02:56:47
[SECURITY] Fedora 38 Update: libssh-0.10.5-1.fc38
2023-05-14 01:39:52
[SECURITY] Fedora 38 Update: fbthrift-2023.10.16.00-1.fc38
2023-10-24 01:23:49
redhat
redhat
(RHSA-2023:3839) Moderate: libssh security update
2023-06-27 13:35:53
(RHSA-2023:6643) Moderate: libssh security update
2023-11-07 06:10:49
(RHSA-2024:0538) Moderate: libssh security update
2024-01-29 08:02:58
cloudfoundry
cloudfoundry
USN-6138-1: libssh vulnerabilities | Cloud Foundry
2023-06-30 00:00:00
rosalinux
rosalinux
Advisory ROSA-SA-2024-2333
2024-01-30 08:34:02
gentoo
gentoo
libssh: Multiple Vulnerabilities
2023-12-22 00:00:00
redhatcve
redhatcve
CVE-2023-2283
2023-05-08 05:21:31
CVE-2023-1667
2023-05-08 04:52:00
ubuntucve
ubuntucve
CVE-2023-2283
2023-05-09 00:00:00
CVE-2023-1667
2023-05-09 00:00:00
debiancve
debiancve
CVE-2023-2283
2023-05-26 18:15:13
CVE-2023-1667
2023-05-26 18:15:10
nvd
nvd
CVE-2023-2283
2023-05-26 18:15:13
CVE-2023-1667
2023-05-26 18:15:10
f5
f5
K000138682 : libssh vulnerability CVE-2023-2283
2024-02-24 00:00:00
cvelist
cvelist
CVE-2023-2283
2023-05-26 00:00:00
CVE-2023-1667
2023-05-26 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2023-4.0-0466
2023-09-07 00:00:00
prion
prion
Authentication flaw
2023-05-26 18:15:00
Null pointer dereference
2023-05-26 18:15:00
cve
cve
CVE-2023-2283
2023-05-26 18:15:13
CVE-2023-1667
2023-05-26 18:15:10
veracode
veracode
Authorization Bypass
2023-05-21 11:53:42
Denial Of Services (DoS)
2023-05-21 16:19:18
Denial Of Service (DoS)
2023-10-12 14:37:40
cbl_mariner
cbl_mariner
CVE-2023-44487 affecting package vitess for versions less than 16.0.2-5
2024-02-09 19:07:07
CVE-2023-44487 affecting package terraform for versions less than 1.3.2-11
2024-02-09 19:07:07
CVE-2023-44487 affecting package nodejs18 for versions less than 18.18.2-1
2023-11-08 02:07:28
atlassian
atlassian
DoS (Denial of Service) io.netty:netty-codec-http2 in Confluence Data Center and Server
2023-11-03 00:45:12

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

9.2

Confidence

High

EPSS

0.816

Percentile

98.4%

JSON
Related for 7B4A1C183199E25182BD57AF6133DEEE685D37EB4180C890C42C999E8B6DC19C
osv24almalinux7nessus51redos2debian2oraclelinux3openvas38ubuntu1ibm6mageia1slackware1rocky4fedora5redhat23cloudfoundry1rosalinux1gentoo1redhatcve2ubuntucve2debiancve2nvd2f51cvelist2photon1prion2cve2veracode3cbl_mariner8atlassian1