Lucene search

IBM8217D70A2063258B007054581C6AD14061DA2E0A216199D593B780C9F694257B

HistoryAug 05, 2024 - 10:01 p.m.

Security Bulletin: IBM Storage Ceph is vulnerable to an Out-of-bounds Write in the RHEL UBI (CVE-2024-2961)

2024-08-0522:01:35

www.ibm.com

ibm storage ceph

out-of-bounds write

rhel ubi

vulnerability

cve-2024-2961

gnu c library

denial of service

cvss

iso-2022-cn-ext

upgrade

CVSS3

7.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

AI Score

7.1

Confidence

High

JSON

Summary

RHEL UBI is used by IBM Storage Ceph as the base operating system. This bulletin identifies the steps to take to address the vulnerability in the RHEL UBI. CVE-2024-2961.

Vulnerability Details

CVEID:CVE-2024-2961
**DESCRIPTION:**GNU C Library is vulnerable to a denial of service, caused by an out-of-bounds write flaw in the iconv() function when converting strings to the ISO-2022-CN-EXT character set. By persuading a victim to open a specially crafted content, a remote attacker could exploit this vulnerability to cause the application to crash or overwrite a neighbouring variable.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287843 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Storage Ceph	7.0-7.0z2
IBM Storage Ceph	6.0, 6.1-6.1z5
IBM Storage Ceph	5.3z1-z6

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.
Download the latest version of IBM Storage Ceph and upgrade to 7.1 by following instructions.

<https://public.dhe.ibm.com/ibmdl/export/pub/storage/ceph/>
<https://www.ibm.com/docs/en/storage-ceph/7?topic=upgrading>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmstorage_cephMatch7.0

ibmstorage_cephMatch2

ibmstorage_cephMatch6.0

ibmstorage_cephMatch6.1

ibmstorage_cephMatch5

ibmstorage_cephMatch5.3

ibmstorage_cephMatch1

ibmstorage_cephMatch6

VendorProductVersionCPE
ibmstorage_ceph7.0cpe:2.3:a:ibm:storage_ceph:7.0:*:*:*:*:*:*:*
ibmstorage_ceph2cpe:2.3:a:ibm:storage_ceph:2:*:*:*:*:*:*:*
ibmstorage_ceph6.0cpe:2.3:a:ibm:storage_ceph:6.0:*:*:*:*:*:*:*
ibmstorage_ceph6.1cpe:2.3:a:ibm:storage_ceph:6.1:*:*:*:*:*:*:*
ibmstorage_ceph5cpe:2.3:a:ibm:storage_ceph:5:*:*:*:*:*:*:*
ibmstorage_ceph5.3cpe:2.3:a:ibm:storage_ceph:5.3:*:*:*:*:*:*:*
ibmstorage_ceph1cpe:2.3:a:ibm:storage_ceph:1:*:*:*:*:*:*:*
ibmstorage_ceph6cpe:2.3:a:ibm:storage_ceph:6:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	storage_ceph	7.0	cpe:2.3:a:ibm:storage_ceph:7.0:::::::*
ibm	storage_ceph	2	cpe:2.3:a:ibm:storage_ceph:2:::::::*
ibm	storage_ceph	6.0	cpe:2.3:a:ibm:storage_ceph:6.0:::::::*
ibm	storage_ceph	6.1	cpe:2.3:a:ibm:storage_ceph:6.1:::::::*
ibm	storage_ceph	5	cpe:2.3:a:ibm:storage_ceph:5:::::::*
ibm	storage_ceph	5.3	cpe:2.3:a:ibm:storage_ceph:5.3:::::::*
ibm	storage_ceph	1	cpe:2.3:a:ibm:storage_ceph:1:::::::*
ibm	storage_ceph	6	cpe:2.3:a:ibm:storage_ceph:6:::::::*