Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMBF8B0A489C965753B5392C4134CDEB65CCB6B7C89D7B7BBFF4394F8E1D112083
HistoryMar 31, 2023 - 2:22 p.m.

Security Bulletin: Multiple Vulnerabilities in XCC affect Cloud Pak System (CVE-2022-34884, CVE-2022-34888)

2023-03-3114:22:21
www.ibm.com
14

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

30.8%

JSON

Summary

XClarity Controller (XCC) is vulnerable to Denial of Service and tampering. XCC is used by Cloud Pak System. Cloud Pak System has addressed these vulnerabilities.

Vulnerability Details

CVEID:CVE-2022-34884
**DESCRIPTION:**Lenovo XClarity Controller (XCC) is vulnerable to a denial of service, caused by a buffer overflow vulnerability in the Remote Presence subsystem. By sending a specially-crafted request, a remote authenticated attacker could overflow a buffer and cause a denial of service.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231123 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-34888
**DESCRIPTION:**Lenovo XClarity Controller (XCC) is vulnerable to tampering, caused by a flaw in the Remote Mount feature. By using spoofed CAN messages, a remote authenticated attacker could exploit this vulnerability to make connections to internal services that may not normally be accessible to users.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231124 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)/Affectded component
IBM Cloud Pak Systems v2.3
SN550 XClarity Controller (XCC)
SR630 XClarity Controller (XCC)
OEM SR630 XClarity Controller (XCC)

Remediation/Fixes

Recommended solution for Cloud Pak System update XClarity Controller (XCC) with Cloud Pak System 2.3.3.6 as reported in the table below.

Product System Node (s) Version(s)
IBM Cloud Pak System v2.3.3.6
SN550 XCC v5.20 TEI3C8M
SR630 XCC v8.40-CDI394N
OEMSR630 XCC 8.40-CDI394N

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm cloud pak system softwareeq2.3

Related

prion 2
cve 2
prion
prion
Buffer overflow
2023-01-30 22:15:00
Remote file inclusion
2023-01-30 22:15:00
cve
cve
CVE-2022-34884
2023-01-30 22:15:11
CVE-2022-34888
2023-01-30 22:15:11

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

30.8%

JSON
Related for BF8B0A489C965753B5392C4134CDEB65CCB6B7C89D7B7BBFF4394F8E1D112083
prion2cve2