Security Bulletin: Vulnerability in cryptography may affect IBM Spectrum Sentinel Anomaly Scan Engine (CVE-2023-23931, CVE-2023-38325)

Summary

Vulnerabilities in python cryptography may affect IBM Spectrum Sentinel Anomaly Scan Engine. Vulnerabilities include: Python cryptography allowing remote attacker bypass authentication and obtain access to launch further attacks on the system.

Vulnerability Details

CVEID:CVE-2023-23931
**DESCRIPTION:**PyPI cryptography package could allow a remote attacker to bypass security restrictions, caused by a memory corruption in Cipher.update_into. By passing an immutable python object as the outbuf, an attacker could exploit this vulnerability to bypass authentication and obtain access.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246738 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)

CVEID:CVE-2023-38325
**DESCRIPTION:**Python Cryptographic Authority cryptography could provide weaker than expected security, caused by an encoding mismatch regarding critical options with OpenSSH. An attacker could exploit this vulnerability to launch further attacks on the system
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260859 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

IBM Spectrum Sentinel Anomaly Scan Engine

|

Fixing Level

|

Platform

|

Link to Fix and Instructions

—|—|—|—

1.1.0-1.1.5

|

1.1.6

|

Linux

|

<https://www.ibm.com/support/pages/node/7070601&gt;

Please refer to IBM Spectrum Copy Data Management security bulletins for the Spectrum Copy Data Management vulnerabilities.

Workarounds and Mitigations

None