Lucene search

K
ibmIBM8D24E206329F82DDFA3BD018D1F09DC1AF25EDFDCC00E3F099AAE23BC803C82C
HistoryApr 26, 2023 - 4:24 p.m.

Security Bulletin: Docker based datastores for IBM Instana do not currently require authentication

2023-04-2616:24:11
www.ibm.com
45
docker based datastores
ibm instana
authentication
vulnerability
cve-2023-27290
datastores
read/write access
ibm observability
versions
remediation
ubuntu
package manager

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

43.9%

Summary

Docker based datastores for IBM Instana do not currently require authentication. Due to this, an attacker with network or system access to the datastores could interrogate the datastores with read/write privileges (CVE-2023-27290).

Vulnerability Details

CVEID:CVE-2023-27290
**DESCRIPTION:**Docker based datastores for IBM Instana do not currently require authentication. Due to this, an attacker within the network or on the system could access the datastores with read/write access.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248737 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Observability with Instana

239-0 to 239-4
241-0 to 241-5
243-0 to 243-6
245-0 to 245-2

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Upgrading your Instana console:
<https://www.ibm.com/docs/en/instana-observability/current?topic=premises-operations-docker-based-instana&gt;
Use your appropriate package manager command to update to a desired package version of Instana console.

See the following example for Ubuntu:

To get the latest version, run the command as follows:

  • sudo apt-get install instana-console

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmobservability_with_instanaMatch239
OR
ibmobservability_with_instanaMatch0
OR
ibmobservability_with_instanaMatch239
OR
ibmobservability_with_instanaMatch4
OR
ibmobservability_with_instanaMatch241
OR
ibmobservability_with_instanaMatch0
OR
ibmobservability_with_instanaMatch241
OR
ibmobservability_with_instanaMatch5
OR
ibmobservability_with_instanaMatch243
OR
ibmobservability_with_instanaMatch0
OR
ibmobservability_with_instanaMatch243
OR
ibmobservability_with_instanaMatch6
OR
ibmobservability_with_instanaMatch245
OR
ibmobservability_with_instanaMatch0
OR
ibmobservability_with_instanaMatch245
OR
ibmobservability_with_instanaMatch2

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

43.9%

Related for 8D24E206329F82DDFA3BD018D1F09DC1AF25EDFDCC00E3F099AAE23BC803C82C