Lucene search

IBM9274C2A0912D27923BA5D8DD650D8E4A1303797CA4654E0D08490CB2DD9F8E2C

HistoryAug 05, 2024 - 9:40 p.m.

Security Bulletin: IBM Storage Ceph is vulnerable to an Observable Discrepancy in the RHEL UBI (CVE-2024-0553)

2024-08-0521:40:50

www.ibm.com

ibm storage ceph

gnutls

timing side-channel

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.6

Confidence

High

EPSS

0.002

Percentile

62.0%

JSON

Summary

RHEL UBI is used by IBM Storage Ceph as the base operating system. This bulletin identifies the steps to take to address the vulnerability in the RHEL UBI. CVE-2024-0553

Vulnerability Details

CVEID:CVE-2024-0553
**DESCRIPTION:**GnuTLS could allow a remote attacker to obtain sensitive information. By perform a timing side-channel attack in the RSA-PSK key exchange, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279606 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Storage Ceph	7.0
IBM Storage Ceph	6.0, 6.1-6.1z3
IBM Storage Ceph	5.3z1-z5

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.
Download the latest version of IBM Storage Ceph and upgrade to 7.0z1 or later by following instructions.

<https://public.dhe.ibm.com/ibmdl/export/pub/storage/ceph/>
<https://www.ibm.com/docs/en/storage-ceph/7?topic=upgrading>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmstorage_cephMatch7.0

ibmstorage_cephMatch6.0

ibmstorage_cephMatch6.1

ibmstorage_cephMatch3

ibmstorage_cephMatch5.3

ibmstorage_cephMatch1

ibmstorage_cephMatch5

VendorProductVersionCPE
ibmstorage_ceph7.0cpe:2.3:a:ibm:storage_ceph:7.0:*:*:*:*:*:*:*
ibmstorage_ceph6.0cpe:2.3:a:ibm:storage_ceph:6.0:*:*:*:*:*:*:*
ibmstorage_ceph6.1cpe:2.3:a:ibm:storage_ceph:6.1:*:*:*:*:*:*:*
ibmstorage_ceph3cpe:2.3:a:ibm:storage_ceph:3:*:*:*:*:*:*:*
ibmstorage_ceph5.3cpe:2.3:a:ibm:storage_ceph:5.3:*:*:*:*:*:*:*
ibmstorage_ceph1cpe:2.3:a:ibm:storage_ceph:1:*:*:*:*:*:*:*
ibmstorage_ceph5cpe:2.3:a:ibm:storage_ceph:5:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	storage_ceph	7.0	cpe:2.3:a:ibm:storage_ceph:7.0:::::::*
ibm	storage_ceph	6.0	cpe:2.3:a:ibm:storage_ceph:6.0:::::::*
ibm	storage_ceph	6.1	cpe:2.3:a:ibm:storage_ceph:6.1:::::::*
ibm	storage_ceph	3	cpe:2.3:a:ibm:storage_ceph:3:::::::*
ibm	storage_ceph	5.3	cpe:2.3:a:ibm:storage_ceph:5.3:::::::*
ibm	storage_ceph	1	cpe:2.3:a:ibm:storage_ceph:1:::::::*
ibm	storage_ceph	5	cpe:2.3:a:ibm:storage_ceph:5:::::::*