Lucene search

IBM99D6EE11D3DD44FE5E8B406E074434873B367B3B09F2C3A762ABCB24E7012E5D

HistoryJul 24, 2024 - 6:50 p.m.

Security Bulletin: IBM Storage Ceph is vulnerable to a denial of service in Grafana. (CVE-2024-21319)

2024-07-2418:50:56

www.ibm.com

ibm storage ceph

go jose

vulnerability

grafana

denial of service

cve-2024-21319

ibm x-force id

cvss

affected products

versions

remediation

upgrades

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

32.9%

JSON

Summary

Go Jose is used by IBM Storage Ceph in Grafana as a metrics dashboard. This bulletin identifies the steps to take to address the vulnerability in Grafana. CVE-2024-21319

Vulnerability Details

**IBM X-Force ID:**273486
**DESCRIPTION:**go-jose is vulnerable to a denial of service, caused by a flaw when decrypting JWE inputs. By using a specially crafted p2c value, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/273486 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Storage Ceph

7.0z1-z2

IBM Storage Ceph| 6.1z1-z6, 6.0
IBM Storage Ceph| 5.3z1-z6

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.
Download the latest version of IBM Storage Ceph and upgrade to 7.1 by following instructions.

<https://public.dhe.ibm.com/ibmdl/export/pub/storage/ceph/>
<https://www.ibm.com/docs/en/storage-ceph/7?topic=upgrading>

Workarounds and Mitigations

none

Affected configurations

Vulners

Node

ibmstorage_cephMatch7.0

ibmstorage_cephMatch1

ibmstorage_cephMatch2

ibmstorage_cephMatch6.1

ibmstorage_cephMatch1

ibmstorage_cephMatch6

ibmstorage_cephMatch6.0

ibmstorage_cephMatch5.3

ibmstorage_cephMatch1

ibmstorage_cephMatch6

VendorProductVersionCPE
ibmstorage_ceph7.0cpe:2.3:a:ibm:storage_ceph:7.0:*:*:*:*:*:*:*
ibmstorage_ceph1cpe:2.3:a:ibm:storage_ceph:1:*:*:*:*:*:*:*
ibmstorage_ceph2cpe:2.3:a:ibm:storage_ceph:2:*:*:*:*:*:*:*
ibmstorage_ceph6.1cpe:2.3:a:ibm:storage_ceph:6.1:*:*:*:*:*:*:*
ibmstorage_ceph6cpe:2.3:a:ibm:storage_ceph:6:*:*:*:*:*:*:*
ibmstorage_ceph6.0cpe:2.3:a:ibm:storage_ceph:6.0:*:*:*:*:*:*:*
ibmstorage_ceph5.3cpe:2.3:a:ibm:storage_ceph:5.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	storage_ceph	7.0	cpe:2.3:a:ibm:storage_ceph:7.0:::::::*
ibm	storage_ceph	1	cpe:2.3:a:ibm:storage_ceph:1:::::::*
ibm	storage_ceph	2	cpe:2.3:a:ibm:storage_ceph:2:::::::*
ibm	storage_ceph	6.1	cpe:2.3:a:ibm:storage_ceph:6.1:::::::*
ibm	storage_ceph	6	cpe:2.3:a:ibm:storage_ceph:6:::::::*
ibm	storage_ceph	6.0	cpe:2.3:a:ibm:storage_ceph:6.0:::::::*
ibm	storage_ceph	5.3	cpe:2.3:a:ibm:storage_ceph:5.3:::::::*