Lucene search

K
ibmIBMB8068514F8B99C6A047738C8EAE9EDE447BFF72AA2961093F7F3CEA69ABD038A
HistoryAug 11, 2023 - 7:13 a.m.

Security Bulletin: Multiple Linux Kernel vulnerabilities may affect IBM Elastic Storage System

2023-08-1107:13:16
www.ibm.com
18
ibm elastic storage system
linux kernel
vulnerabilities
denial of service
fix
upgrade
ibm storage scale system
workaround

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0

Percentile

5.2%

Summary

There are some vulnerabilities in the Linux kernel, used by IBM Elastic Storage System, which could allow a denial of service. Fixes for these vulnerabilities are available.

Vulnerability Details

**CVEID:**CVE-2022-42703 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free flaw related to leaf anon_vma double reuse in mm/rmap.c. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238058 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2022-4378 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a stack-based buffer overflow in the __do_proc_dointvec function. By executing a specially-crafted program, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242006 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Storage Scale System 6.1.0.0 - 6.1.2.6
IBM Storage Scale System 6.1.3.0 - 6.1.8.0

Remediation/Fixes

IBM recommends that you fix this vulnerability by upgrading affected versions of IBM Elastic Storage System 3000, 3200, 3500 and 5000 to the following code levels or higher:

V6.1.8.1 or later

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software defined storage&product=ibm/StorageSoftware/IBM+Elastic+Storage+Server+(ESS)&release=6.1.8&platform=All&function=all

V6.1.2.7 or later

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software defined storage&product=ibm/StorageSoftware/IBM+Elastic+Storage+Server+(ESS)&release=6.1.0&platform=All&function=all

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmelastic_storage_systemMatch6.1.
VendorProductVersionCPE
ibmelastic_storage_system6.1.cpe:2.3:a:ibm:elastic_storage_system:6.1.:*:*:*:*:*:*:*

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0

Percentile

5.2%