Security Bulletin: Storage Virtualize Ansible Collection is affected by a vulnerability in the cryptography package

Summary

Storage Virtualize Ansible Collection uses the cryptography package to provide common cryptographic algorithms. Version 41.0.7 of cryptography package is vulnerable to CVE-2023-50782.

Vulnerability Details

CVEID:CVE-2023-50782
**DESCRIPTION:**Python Cryptographic Authority cryptography could allow a remote attacker to obtain sensitive information, caused by a flaw when decrypting captured messages in TLS servers that use RSA key exchanges. By utilize cryptographic attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/281614 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Update ibm.storage_virtualize to version >= 2.3.0 which includes cryptography 42.0.5

Alternatively, install cryptography >= 42.0.5 over ibm.storage_virtualize version 2.2.0. The plugin will still work on cryptography < 42.0.5, but it is necessary to update to fix this vulnerability.

Ansible collection ibm.storage_virtualize : <https://github.com/ansible-collections/ibm.storage_virtualize&gt;

Workarounds and Mitigations

None