Lucene search

IBMB55842B9AEEA3035FBC723482DCD7F83244ED610A9DC8B2747BC72A222BC274F

HistoryJun 28, 2024 - 12:46 p.m.

Security Bulletin: A vulnerability in github.com/containerd/containerd-v1.6.17 affects Data Replication on Cloud Pak for Data

2024-06-2812:46:52

www.ibm.com

containerd package

supplementary groups

denial of service

memory exhaustion

cloud pak for data

github vulnerability

data replication

fix pack

security restriction bypass

cve-2023-25173

cve-2023-25153

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

35.0%

JSON

Summary

A vulnerability in the github.com/containerd/containerd-v1.6.17 package has been addressed.

Vulnerability Details

CVEID:CVE-2023-25173
**DESCRIPTION:**containerd could allow a local authenticated attacker to bypass security restrictions, caused by improper setup for supplementary groups inside a container. By sending a specially-crafted request using supplementary group access, an attacker could exploit this vulnerability to bypass primary group restrictions.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247778 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2023-25153
**DESCRIPTION:**containerd is vulnerable to a denial of service, caused by a memory exhaustion flaw when importing an OCI image. By using a specially-crafted image with a large file, a local attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247777 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
Data Replication on Cloud Pak for Data	All before 4.8.0

Remediation/Fixes

Update to the latest product fix pack found here: <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.8.x?topic=new-data-replication>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmcognos_analytics_cartridge_for_ibm_cloud_pak_for_dataMatch4.6.4

ibmcognos_analytics_cartridge_for_ibm_cloud_pak_for_dataMatch4.6.5

ibmcognos_analytics_cartridge_for_ibm_cloud_pak_for_dataMatch4.7.0

ibmcognos_analytics_cartridge_for_ibm_cloud_pak_for_dataMatch4.7.1

ibmcognos_analytics_cartridge_for_ibm_cloud_pak_for_dataMatch4.7.2

CPENameOperatorVersion
ibm data replication cartridge for ibm cloud pak for dataeq4.6.4
ibm data replication cartridge for ibm cloud pak for dataeq4.6.5
ibm data replication cartridge for ibm cloud pak for dataeq4.7.0
ibm data replication cartridge for ibm cloud pak for dataeq4.7.1
ibm data replication cartridge for ibm cloud pak for dataeq4.7.2

Name	Operator	Version
ibm data replication cartridge for ibm cloud pak for data	eq	4.6.4
ibm data replication cartridge for ibm cloud pak for data	eq	4.6.5
ibm data replication cartridge for ibm cloud pak for data	eq	4.7.0
ibm data replication cartridge for ibm cloud pak for data	eq	4.7.1
ibm data replication cartridge for ibm cloud pak for data	eq	4.7.2