Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to credential exposure in cURL libcurl (CVE-2022-27774)

Summary

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to credential exposure in cURL libcurl (CVE-2022-27774), which could allow an attacker to use this information to launch further attacks against the affected system. The affected component, “same host check” in cURL libcurl, is used as part of the base image included in our service images. Please read the details for remediation below.

Vulnerability Details

CVEID:CVE-2022-27774
**DESCRIPTION:**cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a flaw in the “same host check” feature during a cross protocol redirects. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain credentials information, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225294 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

Product(s)|**Version(s)
|Remediation/Fix/Instructions
—|—|—
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data| 4.6|The fix in 4.6 applies to all versions listed (4.0.0-4.5.4). Version 4.6 can be downloaded and installed from:
<https://www.ibm.com/docs/en/cloud-paks/cp-data&gt;
**

Workarounds and Mitigations

None