Lucene search

K
ibmIBMBE8515B8B2856E7E8E31FDC9A2E1A677E23E107E90CE80EAA8FDFFDAE2986944
HistoryFeb 29, 2024 - 8:14 p.m.

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a man-in-the-middle attack in CPAN.pm [CVE-2023-31484]

2024-02-2920:14:29
www.ibm.com
11
ibm watson
speech services
cloud pak
data
vulnerability
man-in-the-middle attack
cpan.pm
cve-2023-31484
tls certificates
ibm
remediation
fix
download
installation

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

0.004

Percentile

74.0%

Summary

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a man-in-the-middle attack in CPAN.pm, caused by improper validation of TLS certificates when downloading distributions over HTTPS. [CVE-2023-31484]. CPAN.pm is used as a component of our Speech runtimes. This vulnerabilitiy has been addressed. Please read the details for remediation below.

Vulnerability Details

**CVEID:**CVE-2023-31484 DESCRIPTION: CPAN.pm is vulnerable to a man-in-the-middle attack, caused by improper validation of TLS certificates when downloading distributions over HTTPS. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253974 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data 4.0.0 - 4.8.2

Remediation/Fixes

Product(s)|**Version(s)
**|Remediation/Fix/Instructions
—|—|—
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data| 4.8.3| The fix in 4.8.3 applies to all versions listed (4.0.0-4.8.2). Version 4.8.3 can be downloaded and installed from: https://www.ibm.com/docs/en/cloud-paks/cp-data

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmwatson_assistant_for_ibm_cloud_pak_for_dataMatch4.0.0
OR
ibmwatson_assistant_for_ibm_cloud_pak_for_dataMatch4.0.2
VendorProductVersionCPE
ibmwatson_assistant_for_ibm_cloud_pak_for_data4.0.0cpe:2.3:a:ibm:watson_assistant_for_ibm_cloud_pak_for_data:4.0.0:*:*:*:*:*:*:*
ibmwatson_assistant_for_ibm_cloud_pak_for_data4.0.2cpe:2.3:a:ibm:watson_assistant_for_ibm_cloud_pak_for_data:4.0.2:*:*:*:*:*:*:*

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

0.004

Percentile

74.0%