Lucene search

K
ibmIBMB44AB816B5FE6907BE1312952DDC5956A186137A3AD15F417FAACE076F6E8739
HistorySep 27, 2024 - 6:09 p.m.

Security Bulletin: Vulnerabilities in Golang Go and PostgreSQL might affect IBM Storage Copy Data Management

2024-09-2718:09:36
www.ibm.com
12
ibm storage copy data management
golang go
postgresql
vulnerabilities
exploit
sensitive information
remediation
linux

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

Low

Summary

IBM Storage Copy Data Management can be affected by vulnerabilities in Golang Go and PostgreSQL . An attacker or remote attacker could exploit these vulnerabilities to create an zip file with contents that vary depending on the implementation reading the file, to obtain sensitive information, and various methods in the net/netip package in Golang Go has an unknown impact and attack vector as described by the CVE in the “Vulnerability Details” section.

Vulnerability Details

**CVEID:**CVE-2024-24790 DESCRIPTION: An unspecified error related to various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses in the net/netip package in Golang Go has an unknown impact and attack vector.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292953 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

**CVEID:**CVE-2024-4317 DESCRIPTION: PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs. By sending a specially crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292549 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**CVE-2024-24789 DESCRIPTION: Golang Go could allow a local attacker to bypass security restrictions, caused by a flaw with EOCDR comment length handling is inconsistent with other ZIP implementations in the archive/zip package. By sending a specially crafted request, an attacker could exploit this vulnerability to create an zip file with contents that vary depending on the implementation reading the file.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292952 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Storage Copy Data Management 2.2.0.0 - 2.2.24.0

Remediation/Fixes

Affected Versions|**Fixing
**Level|Platform|**Link to Fix and Instructions
**
—|—|—|—
2.2.0.0 - 2.2.24.0| 2.2.24.1| Linux| https://www.ibm.com/support/pages/node/7150077

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmstorage_copy_data_managementMatch2.2
VendorProductVersionCPE
ibmstorage_copy_data_management2.2cpe:2.3:a:ibm:storage_copy_data_management:2.2:*:*:*:*:*:*:*

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

Low