Lucene search

K
ibmIBM962F7162A2DA07472B1A16092393EE363CD3036AEC5842E8904525F934DBA844
HistoryNov 29, 2023 - 2:49 p.m.

Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache ZooKeeper

2023-11-2914:49:33
www.ibm.com
11
ibm watson discovery
cloud pak for data
apache zookeeper
cve-2023-44981
security restrictions
sasl quorum peer authentication
cluster
counterfeit changes
cvss base score 8.1
cvss vector

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

6.8

Confidence

Low

EPSS

0.004

Percentile

72.6%

Summary

IBM Watson Discovery Cartridge for IBM Cloud Pak for Data contains a vulnerable version of Apache ZooKeeper.

Vulnerability Details

CVEID:CVE-2023-44981
**DESCRIPTION:**Apache ZooKeeper could allow a remote attacker to bypass security restrictions, caused by a flaw when SASL Quorum Peer authentication is enabled. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass authorization and allow arbitrary endpoints to join the cluster and begin propagating counterfeit changes.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268362 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
Watson Discovery 4.0.0-4.7.3

Remediation/Fixes

Upgrade to IBM Watson Discovery 4.8.0

<https://cloud.ibm.com/docs/discovery-data?topic=discovery-data-install&gt;

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmwatson_discoveryMatch4.0.0
OR
ibmwatson_discoveryMatch4.7.3
VendorProductVersionCPE
ibmwatson_discovery4.0.0cpe:2.3:a:ibm:watson_discovery:4.0.0:*:*:*:*:*:*:*
ibmwatson_discovery4.7.3cpe:2.3:a:ibm:watson_discovery:4.7.3:*:*:*:*:*:*:*

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

6.8

Confidence

Low

EPSS

0.004

Percentile

72.6%