Lucene search

K
ibmIBMBB0B514B7740ABAA6CD93058A82FD3ED413FBE98A0B934EB47DDEE22EA27CFAD
HistoryDec 12, 2023 - 9:34 a.m.

Security Bulletin: Multiple vulnerabilities have been identified in Golang Go used with IBM Storage Scale Data Access Services (DAS) which can cause denial of service.

2023-12-1209:34:21
www.ibm.com
10
golang go
ibm storage scale das
denial of service
vulnerability
fix
ibm spectrum scale data access services

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 High

AI Score

Confidence

High

0.024 Low

EPSS

Percentile

90.0%

Summary

Multiple security vulnerabilities have been identified in Golang Go used with IBM Storage Scale Data Access Services (DAS) which can cause denial of service. A fix for this vulnerability is available.

Vulnerability Details

CVEID:CVE-2023-39325
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw in the net/http and x/net/http2 packages. By sending specially crafted requests using HTTP/2 client, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268645 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-41723
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw in the HPACK decoder. By sending a specially-crafted HTTP/2 stream, a remote attacker could exploit this vulnerability to cause excessive CPU consumption, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247965 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Storage Scale DAS 5.1.5.0 - 5.1.7.0

Remediation/Fixes

For IBM Spectrum Scale Data Access Services (DAS), install available V5.1.9.1 or later by following the below IBM Documentation link:

<https://www.ibm.com/docs/en/ssdas?topic=storage-scale-data-access-services-519&gt;

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Storage+Scale&release=5.1.9&platform=All&function=all

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmstorage_copy_data_managementMatch5.1.

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 High

AI Score

Confidence

High

0.024 Low

EPSS

Percentile

90.0%