Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM8A5FC3E49CEE1529A29CA7C6E75470EB8AF8EB426923A3CEEA332E5C3E566C90
HistoryJun 19, 2024 - 10:34 a.m.

Security Bulletin: Vulnerabilities in Transparent Cloud Tiering affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

2024-06-1910:34:42
www.ibm.com
8
vulnerabilities
transparent cloud tiering
ibm storage virtualize
denial of service
http/2 protocol
apache commons compress
code updates

CVSS3

8.1

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

0.813

Percentile

98.4%

JSON

Summary

Vulnerabilities in netty-codec-http2 and commons-compress affect the Transparent Cloud Tiering function in IBM Storage Virtualize products. CVE-2023-44487, CVE-2024-25710, CVE-2024-26308. Most systems do not have Transparent Cloud Tiering configured. You can confirm by running the lsvolumebackup CLI command - if there is no output, then this feature is not used, and upgrade is not required.

Vulnerability Details

CVEID:CVE-2023-44487
**DESCRIPTION:**Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. By sending numerous HTTP/2 requests and RST_STREAM frames over multiple streams, a remote attacker could exploit this vulnerability to cause a denial of service due to server resource consumption.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268044 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-25710
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially crafted DUMP file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283472 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-26308
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error. By persuading a victim to open a specially crafted Pack200 file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283469 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Storage Virtualize 8.6

Remediation/Fixes

IBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, IBM Storwize V5000 and V5100, IBM Storwize V5000E, IBM Storage Virtualize Software, IBM Storage Virtualize for Public Cloud, IBM FlashSystem V9000, IBM FlashSystem 9500, IBM FlashSystem 9100 Family, IBM FlashSystem 9200, IBM FlashSystem 7300, IBM FlashSystem 7200, IBM FlashSystem 5200 and IBM FlashSystem 5000 to the following code levels or higher:

8.6.0.4

8.7.0.0

Latest IBM SAN Volume Controller Code
Latest IBM Storwize V7000 Code
Latest IBM Storwize V5000 and V5100 Code
Latest IBM Storwize V5000E Code
Latest IBM FlashSystem V9000 Code
Latest IBM FlashSystem 9500 Code
Latest IBM FlashSystem 9100 Family Code
Latest IBM FlashSystem 9200 Code
Latest IBM FlashSystem 7300 Code
Latest IBM FlashSystem 7200 Code
Latest IBM FlashSystem 5000 and 5200 Code
Latest IBM Storage Virtualize Software
Latest IBM Storage Virtualize for Public Cloud

For the Storage Nodes of IBM FlashSystem 900, please apply the fixes recommended in the IBM FlashSystem security bulletin for this issue.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmstorwize_v5000Match8.6
OR
ibmstorwize_v7000Match8.6
OR
ibmflashsystem_v9000Match8.6
OR
ibmibm_flashsystem_7x00Match8.6
OR
ibmibm_flashsystem_5x00Match8.6
OR
ibmspectrum_virtualize_for_public_cloudMatch8.6
OR
ibmspectrum_virtualize_softwareMatch8.6
OR
ibmstorwize_v5000e_firmwareMatch8.6
OR
ibmibm_flashsystem_9x00Match8.6
OR
ibmsan_volume_controllerMatch8.6
VendorProductVersionCPE
ibmstorwize_v50008.6cpe:2.3:h:ibm:storwize_v5000:8.6:*:*:*:*:*:*:*
ibmstorwize_v70008.6cpe:2.3:h:ibm:storwize_v7000:8.6:*:*:*:*:*:*:*
ibmflashsystem_v90008.6cpe:2.3:h:ibm:flashsystem_v9000:8.6:*:*:*:*:*:*:*
ibmibm_flashsystem_7x008.6cpe:2.3:a:ibm:ibm_flashsystem_7x00:8.6:*:*:*:*:*:*:*
ibmibm_flashsystem_5x008.6cpe:2.3:a:ibm:ibm_flashsystem_5x00:8.6:*:*:*:*:*:*:*
ibmspectrum_virtualize_for_public_cloud8.6cpe:2.3:a:ibm:spectrum_virtualize_for_public_cloud:8.6:*:*:*:*:*:*:*
ibmspectrum_virtualize_software8.6cpe:2.3:a:ibm:spectrum_virtualize_software:8.6:*:*:*:*:*:*:*
ibmstorwize_v5000e_firmware8.6cpe:2.3:o:ibm:storwize_v5000e_firmware:8.6:*:*:*:*:*:*:*
ibmibm_flashsystem_9x008.6cpe:2.3:a:ibm:ibm_flashsystem_9x00:8.6:*:*:*:*:*:*:*
ibmsan_volume_controller8.6cpe:2.3:h:ibm:san_volume_controller:8.6:*:*:*:*:*:*:*

Related

ibm 34
openvas 15
redhat 19
nessus 26
osv 52
nvd 2
githubexploit 1
cve 2
cgr 2
veracode 3
prion 2
debiancve 2
vulnrichment 2
github 2
ubuntucve 2
cvelist 2
redhatcve 2
wolfi 2
amazon 2
atlassian 2
oraclelinux 1
debian 2
cbl_mariner 9
almalinux 5
rocky 2
fedora 3
redos 1
ibm
ibm
Security Bulletin: Security vulnerabilities in Apache Commons Compress affects IBM License Metric Tool v9.
2024-03-19 13:38:34
Security Bulletin: IBM License Key Server Administration & Reporting Tool and Agent are vulnerable to avulnerability in Apache Commons Compress Library
2024-07-30 16:37:20
Security Bulletin: IBM DevOps Deploy / IBM Urbancode Deploy (UCD) is vulnerable to denial of service due to Apache Commons Compress ( CVE-2024-25710, CVE-2024-26308 )
2024-04-11 19:06:08
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2024:0726-1)
2024-03-01 00:00:00
Apache Commons Compress 1.21 < 1.26.0 DoS Vulnerability
2024-02-20 00:00:00
Apache Commons Compress 1.3 < 1.26.0 DoS Vulnerability
2024-02-20 00:00:00
redhat
redhat
(RHSA-2024:1509) Moderate: Red Hat Data Grid 8.4.7 security update
2024-03-26 11:13:37
(RHSA-2024:1797) Important: Red Hat build of Quarkus 2.13.9.SP2 release and security update
2024-04-22 10:57:23
(RHSA-2024:1948) Important: Red Hat Build of Apache Camel 3.18 for Quarkus 2.13 is now available (updates to RHBQ 2.13.9.SP2)
2024-04-22 13:28:12
nessus
nessus
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : Java (SUSE-SU-2024:0726-1)
2024-03-01 00:00:00
Oracle Primavera Unifier (April 2024 CPU)
2024-04-17 00:00:00
Amazon Linux 2023 : javapackages-bootstrap (ALAS2023-2024-561)
2024-03-21 00:00:00
osv
osv
Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file
2024-02-19 09:30:52
CGA-ggv5-qcv7-p79c
2024-06-06 12:27:27
CGA-x85q-h487-67fx
2024-06-06 12:29:56
nvd
nvd
CVE-2024-26308
2024-02-19 09:15:38
CVE-2024-25710
2024-02-19 09:15:37
githubexploit
githubexploit
Exploit for Allocation of Resources Without Limits or Throttling in Apache Commons Compress
2024-08-11 14:10:14
cve
cve
CVE-2024-26308
2024-02-19 09:15:38
CVE-2024-25710
2024-02-19 09:15:37
cgr
cgr
CVE-2024-26308 vulnerabilities
2024-05-19 03:07:16
CVE-2024-25710 vulnerabilities
2024-05-19 03:07:16
veracode
veracode
Denial Of Service (DoS)
2024-02-20 06:39:51
Denial Of Service (DoS)
2024-02-20 06:21:30
Denial Of Service (DoS)
2023-10-12 14:37:40
prion
prion
Code injection
2024-02-19 09:15:00
Design/Logic Flaw
2024-02-19 09:15:00
debiancve
debiancve
CVE-2024-26308
2024-02-19 09:15:38
CVE-2024-25710
2024-02-19 09:15:37
vulnrichment
vulnrichment
CVE-2024-26308 Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file
2024-02-19 08:31:50
CVE-2024-25710 Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file
2024-02-19 08:33:40
github
github
Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file
2024-02-19 09:30:52
Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file
2024-02-19 09:30:50
ubuntucve
ubuntucve
CVE-2024-26308
2024-02-19 00:00:00
CVE-2024-25710
2024-02-19 00:00:00
cvelist
cvelist
CVE-2024-26308 Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file
2024-02-19 08:31:50
CVE-2024-25710 Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file
2024-02-19 08:33:40
redhatcve
redhatcve
CVE-2024-26308
2024-02-19 20:50:29
CVE-2024-25710
2024-02-19 20:50:19
wolfi
wolfi
CVE-2024-26308 vulnerabilities
2024-09-20 21:14:10
CVE-2024-25710 vulnerabilities
2024-09-20 21:14:10
amazon
amazon
Important: apache-commons-compress
2024-03-13 20:26:00
Important: nghttp2
2023-10-16 13:45:00
atlassian
atlassian
Bitbucket Data Center is affected by CVE-2024-25710
2024-04-03 08:56:14
DoS (Denial of Service) io.netty:netty-codec-http2 in Confluence Data Center and Server
2023-11-03 00:45:12
oraclelinux
oraclelinux
.NET 7.0 security update
2023-10-18 00:00:00
debian
debian
[SECURITY] [DLA 3638-1] h2o security update
2023-10-31 14:09:23
[SECURITY] [DLA 3617-2] tomcat9 regression update
2023-10-16 22:23:23
cbl_mariner
cbl_mariner
CVE-2023-44487 affecting package sriov-network-device-plugin for versions less than 3.5.1-2
2024-06-21 09:32:44
CVE-2023-44487 affecting package coredns for versions less than 1.11.1-1
2024-07-22 15:42:40
CVE-2023-44487 affecting package moby-containerd-cc for versions less than 1.7.1-5
2024-02-09 19:07:07
almalinux
almalinux
Important: dotnet6.0 security update
2023-10-16 00:00:00
Important: nghttp2 security update
2023-10-18 00:00:00
Important: varnish security update
2023-10-19 00:00:00
rocky
rocky
nodejs security update
2023-10-24 18:36:46
varnish security update
2023-10-24 18:36:42
fedora
fedora
[SECURITY] Fedora 38 Update: fbthrift-2023.10.16.00-1.fc38
2023-10-24 01:23:49
[SECURITY] Fedora 38 Update: wangle-2023.10.16.00-1.fc38
2023-10-24 01:23:49
[SECURITY] Fedora 39 Update: proxygen-2023.10.16.00-1.fc39
2023-11-03 19:01:54
redos
redos
ROS-20231107-01
2023-11-07 00:00:00

CVSS3

8.1

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

0.813

Percentile

98.4%

JSON
Related for 8A5FC3E49CEE1529A29CA7C6E75470EB8AF8EB426923A3CEEA332E5C3E566C90
ibm34openvas15redhat19nessus26osv52nvd2githubexploit1cve2cgr2veracode3prion2debiancve2vulnrichment2github2ubuntucve2cvelist2redhatcve2wolfi2amazon2atlassian2oraclelinux1debian2cbl_mariner9almalinux5rocky2fedora3redos1