Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMA67DF9D2FB6CE8D8C655B73F8ADC627A23608D06F51051D3D28D37535C632FD3
HistoryDec 15, 2023 - 1:15 p.m.

Security Bulletin: Vulnerabilities in snappy-java, Python, postgresql, Golang might affect IBM Spectrum Copy Data Management

2023-12-1513:15:03
www.ibm.com
6
ibm spectrum copy data management
snappy-java
python
postgresql
golang go
denial of service
cpu denial
authentication bypass
arbitrary code
security restrictions
vulnerability
cve-2023-43642
cve-2022-45061
cve-2023-40217
cve-2023-39417
cve-2023-39323

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

77.2%

JSON

Summary

IBM Spectrum Copy Data Management can be affected by vulnerabilities in snappy-java, Python, PostgreSQL, and Golang Go. Vulnerabilities include causing a denial of service condition, causing a CPU denial of service condition, gaining access to the server’s resources without being authenticated, executing arbitrary code as the bootstrap superuser, and executing arbitrary code on the system, as described by the CVEs in the “Vulnerability Details” section.

Vulnerability Details

CVEID:CVE-2023-43642
**DESCRIPTION:**snappy-java is vulnerable to a denial of service, caused by missing upper bound check on chunk length. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/267079 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-45061
**DESCRIPTION:**Python is vulnerable to a denial of service, caused by an unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a CPU denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240593 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-40217
**DESCRIPTION:**Python could allow a remote attacker to bypass security restrictions, caused by a race condition in the SSLSocket module. When the socket is closed before the TLS handshake is complete, the data is treated as if it had been encrypted by TLS. An attacker could exploit this vulnerability to bypass the TLS handshake and inject a malicious client certificate into the connection and gain access to the server’s resources without being authenticated.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264374 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2023-39417
**DESCRIPTION:**PostgreSQL could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in the extension script. By sending a specially crafted request using @extowner@, @extschema@, or @extschema:…@ inside a quoting construct, an attacker could exploit this vulnerability to execute arbitrary code as the bootstrap superuser.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/263270 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H)

CVEID:CVE-2023-39323
**DESCRIPTION:**Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by improper enforcement of line directive restrictions in the “//go:cgo_” directives. By providing specially crafted input in the linker and compiler flags, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268524 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-39325
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw in the net/http and x/net/http2 packages. By sending specially crafted requests using HTTP/2 client, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268645 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Spectrum Copy Data Management 2.2.0.0 - 2.2.21.0

Remediation/Fixes

Affected Versions|**Fixing
**Level|Platform|**Link to Fix and Instructions
**
—|—|—|—
2.2.0.0 - 2.2.21.0| 2.2.22| Linux| <https://www.ibm.com/support/pages/node/7070590&gt;

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmspectrum_copy_data_managementMatch2.2
CPENameOperatorVersion
ibm spectrum copy data managementeq2.2

Related

openvas 29
nessus 59
fedora 3
amazon 2
ibm 22
redhat 13
atlassian 2
debiancve 4
cvelist 3
osv 15
redhatcve 4
ubuntucve 3
cgr 3
veracode 3
nvd 4
wolfi 2
cbl_mariner 4
prion 3
cve 3
debian 1
alpinelinux 3
kaspersky 1
broadcom 1
freebsd 1
rocky 2
oraclelinux 3
almalinux 2
cloudlinux 1
ubuntu 1
redos 1
slackware 1
openvas
openvas
Fedora: Security Advisory for golang (FEDORA-2023-fe53e13b5b)
2023-10-29 00:00:00
Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2024-1082)
2024-01-09 00:00:00
Huawei EulerOS: Security Advisory for golang (EulerOS-SA-2024-1058)
2024-01-09 00:00:00
nessus
nessus
EulerOS 2.0 SP10 : golang (EulerOS-SA-2024-1082)
2024-01-16 00:00:00
Amazon Linux 2023 : golang, golang-bin, golang-misc (ALAS2023-2023-394)
2023-10-19 00:00:00
Fedora 39 : golang (2023-822aab0a5a)
2023-11-07 00:00:00
fedora
fedora
[SECURITY] Fedora 39 Update: golang-1.21.3-1.fc39
2023-11-03 19:02:38
[SECURITY] Fedora 38 Update: golang-1.20.10-2.fc38
2023-10-29 01:34:45
[SECURITY] Fedora 37 Update: golang-1.20.10-3.fc37
2023-10-29 01:47:29
amazon
amazon
Important: golang
2023-10-16 13:45:00
Important: golang
2023-10-16 13:45:00
ibm
ibm
Security Bulletin: Multiple vulnerabilities in Python may affect the IBM Storage Scale System
2023-12-12 12:03:48
Security Bulletin: IBM Security Verify Information Queue has a third-party library vulnerability (CVE-2023-43642)
2023-12-15 14:45:06
Security Bulletin: IBM Operator for Apache Flink is affected by a vulnerability in snappy-java (CVE-2023-43642)
2023-11-29 22:30:57
redhat
redhat
(RHSA-2023:6828) Important: ACS 4.1 enhancement update
2023-11-08 18:33:18
(RHSA-2023:7215) Important: Red Hat OpenShift Service Mesh Containers for 2.2.12
2023-11-15 00:13:40
(RHSA-2023:7216) Moderate: Red Hat OpenShift Service Mesh Containers for 2.4.5
2023-11-15 00:15:54
atlassian
atlassian
DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Bitbucket Data Center and Server
2024-01-09 05:46:44
DoS (Denial of Service) org.xerial.snappy:snappy-java Dependency in Jira Software Data Center and Server
2024-02-14 10:46:17
debiancve
debiancve
CVE-2023-43642
2023-09-25 20:15:11
CVE-2023-39323
2023-10-05 21:15:11
CVE-2023-39417
2023-08-11 13:15:09
cvelist
cvelist
CVE-2023-43642 Missing upper bound check on chunk length in snappy-java
2023-09-25 19:03:49
CVE-2023-39323 Arbitrary code execution during build via line directives in cmd/go
2023-10-05 20:36:58
CVE-2023-39417 Postgresql: extension script @substitutions@ within quoting allow sql injection
2023-08-11 12:19:15
osv
osv
CVE-2023-43642
2023-09-25 20:15:11
Arbitrary code execution during build via line directives in cmd/go
2023-10-05 20:35:05
CVE-2023-39417
2023-08-11 13:15:09
redhatcve
redhatcve
CVE-2023-43642
2023-10-02 10:24:58
CVE-2023-39323
2023-10-09 17:57:41
CVE-2023-40217
2023-08-30 21:12:08
ubuntucve
ubuntucve
CVE-2023-43642
2023-09-25 00:00:00
CVE-2023-39323
2023-10-05 00:00:00
CVE-2023-39417
2023-08-11 00:00:00
cgr
cgr
CVE-2023-43642 vulnerabilities
2024-05-19 03:07:16
CVE-2023-39323 vulnerabilities
2024-05-19 03:07:16
CVE-2023-40217 vulnerabilities
2024-05-19 03:07:16
veracode
veracode
Arbitrary Code Execution
2023-10-12 05:25:05
SQL Injection
2023-08-16 00:26:16
Denial Of Service (DoS)
2023-10-27 18:43:36
nvd
nvd
CVE-2023-39323
2023-10-05 21:15:11
CVE-2023-39417
2023-08-11 13:15:09
CVE-2023-40217
2023-08-25 01:15:09
wolfi
wolfi
CVE-2023-39323 vulnerabilities
2024-06-16 03:08:14
CVE-2023-43642 vulnerabilities
2024-06-16 03:08:14
cbl_mariner
cbl_mariner
CVE-2023-39323 affecting package golang for versions less than 1.20.10-1
2024-06-16 03:09:11
CVE-2023-39417 affecting package postgresql for versions less than 14.10-1
2024-01-14 22:46:30
CVE-2023-39323 affecting package golang for versions less than 1.20.10-1
2024-06-16 03:09:17
prion
prion
Design/Logic Flaw
2023-10-05 21:15:00
Sql injection
2023-08-11 13:15:00
Input validation
2023-09-25 20:15:00
cve
cve
CVE-2023-39417
2023-08-11 13:15:09
CVE-2023-39323
2023-10-05 21:15:11
CVE-2023-43642
2023-09-25 20:15:11
debian
debian
[SECURITY] [DLA 3600-1] postgresql-11 security update
2023-10-03 21:57:11
alpinelinux
alpinelinux
CVE-2023-39323
2023-10-05 21:15:11
CVE-2023-40217
2023-08-25 01:15:09
CVE-2023-39417
2023-08-11 13:15:09
kaspersky
kaspersky
KLA52240 RCE vulnerability in PostgreSQL
2023-08-10 00:00:00
broadcom
broadcom
Extension script @substitutions@ within quoting allow SQL injection (CVE-2023-39417)
2024-04-16 00:00:00
freebsd
freebsd
postgresql-server -- Extension script @substitutions@ within quoting allow SQL injection
2023-08-10 00:00:00
rocky
rocky
python3 security update
2023-10-24 18:36:13
python3.11 security update
2023-10-06 22:57:49
oraclelinux
oraclelinux
python3 security update
2023-11-09 00:00:00
python3 security update
2023-10-24 00:00:00
python3.9 security update
2023-10-17 00:00:00
almalinux
almalinux
Important: python3.11 security update
2023-10-05 00:00:00
Important: python3.9 security update
2023-10-05 00:00:00
cloudlinux
cloudlinux
python: Fix of CVE-2023-40217
2024-01-12 17:18:46
ubuntu
ubuntu
PostgreSQL vulnerability
2023-09-13 00:00:00
redos
redos
ROS-20231009-01
2023-10-09 00:00:00
slackware
slackware
[slackware-security] python3
2023-09-15 19:55:45

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

77.2%

JSON
Related for A67DF9D2FB6CE8D8C655B73F8ADC627A23608D06F51051D3D28D37535C632FD3
openvas29nessus59fedora3amazon2ibm22redhat13atlassian2debiancve4cvelist3osv15redhatcve4ubuntucve3cgr3veracode3nvd4wolfi2cbl_mariner4prion3cve3debian1alpinelinux3kaspersky1broadcom1freebsd1rocky2oraclelinux3almalinux2cloudlinux1ubuntu1redos1slackware1