Lucene search

K
ibmIBM92D4303B0EB01A76B51EF22893D5F542B925CEDA64A6ACC58C2EE4D128EA92A9
HistoryDec 04, 2023 - 10:46 a.m.

Security Bulletin: glibc vulnerability affects IBM Elastic Storage System (CVE-2023-4911)

2023-12-0410:46:37
www.ibm.com
11
ibm elastic storage system
glibc vulnerability
cve-2023-4911
buffer overflow
elevated privileges
upgrade
fix
security bulletin

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.3

Confidence

High

EPSS

0.016

Percentile

87.4%

Summary

IBM Elastic Storage System is shipped with GNU glibc, for which a fix is available for a security vulnerability.

Vulnerability Details

CVEID:CVE-2023-4911
**DESCRIPTION:**glibc could allow a local authenticated attacker to gain elevated privileges on the system, caused by a buffer overflow in the dynamic loader’s processing of the GLIBC_TUNABLES environment variable. By sending overly long data, an attacker could exploit this vulnerability to gain root privileges on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/267581 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Elastic Storage System 6.1.0.0 - 6.1.2.7
IBM Elastic Storage System 6.1.3.0 - 6.1.8.2

Remediation/Fixes

IBM recommends that you fix this vulnerability by upgrading affected versions of IBM Elastic Storage System 3000, 3200, 3500 and 5000 to the following code levels or higher:

V6.1.2.8 or later

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Elastic+Storage+Server+(ESS)&release=6.1.0&platform=All&function=all

V6.1.8.3 or later

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Elastic+Storage+Server+(ESS)&release=6.1.8&platform=All&function=all

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmelastic_storage_systemMatch6.1.
CPENameOperatorVersion
ibm elastic storage systemeq6.1.

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.3

Confidence

High

EPSS

0.016

Percentile

87.4%