IBMB44AB816B5FE6907BE1312952DDC5956A186137A3AD15F417FAACE076F6E8739Security Bulletin: Vulnerabilities in Golang Go and PostgreSQL might affect IBM Storage Copy Data Management
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
Summary
IBM Storage Copy Data Management can be affected by vulnerabilities in Golang Go and PostgreSQL . An attacker or remote attacker could exploit these vulnerabilities to create an zip file with contents that vary depending on the implementation reading the file, to obtain sensitive information, and various methods in the net/netip package in Golang Go has an unknown impact and attack vector as described by the CVE in the “Vulnerability Details” section.
Vulnerability Details
CVEID:CVE-2024-24790
**DESCRIPTION:**An unspecified error related to various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses in the net/netip package in Golang Go has an unknown impact and attack vector.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292953 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID:CVE-2024-4317
**DESCRIPTION:**PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs. By sending a specially crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292549 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2024-24789
**DESCRIPTION:**Golang Go could allow a local attacker to bypass security restrictions, caused by a flaw with EOCDR comment length handling is inconsistent with other ZIP implementations in the archive/zip package. By sending a specially crafted request, an attacker could exploit this vulnerability to create an zip file with contents that vary depending on the implementation reading the file.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292952 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Storage Copy Data Management | 2.2.0.0 - 2.2.24.0 |
Remediation/Fixes
Affected Versions|**Fixing
**Level|Platform|**Link to Fix and Instructions
**
—|—|—|—
2.2.0.0 - 2.2.24.0| 2.2.24.1| Linux| <https://www.ibm.com/support/pages/node/7150077>
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | storage_copy_data_management | 2.2 | cpe:2.3:a:ibm:storage_copy_data_management:2.2:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low