Lucene search

K
ibmIBMC39110FBA8B9B3D22B70D66CDCF60FBA1A816D859DC3083C05B35E3BD7AD65F8
HistoryJun 21, 2024 - 3:45 p.m.

Security Bulletin: Multiple PostgreSQL Vulnerabilities Affect IBM Storage Scale System

2024-06-2115:45:31
www.ibm.com
33
ibm storage scale system
postgresql
remote attacker
sensitive information
security restrictions
denial of service
buffer overflow

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

9

Confidence

High

EPSS

0.015

Percentile

87.0%

Summary

There are vulnerabilities in PostgreSQL versions used by IBM Storage Scale System that could allow a remote authenticated attacker to obtain sensitive information or bypass security restrictions, a denial of service and a buffer overflow. IBM Storage Scale System has addressed the applicable CVEs. CVE-2023-5868, CVE-2020-21469, CVE-2023-5869, CVE-2024-0985, CVE-2023-5870.

Vulnerability Details

**CVEID:**CVE-2023-5868 DESCRIPTION: PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when perform certain aggregate function calls. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain bytes of server memory from the end of the “unknown”-type value to the next zero byte, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271219 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**CVE-2020-21469 DESCRIPTION: PostgreSQL is vulnerable to a denial of service, caused by a buffer overflow. By sending specially crafted SIGHUP signals, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266327 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2023-5869 DESCRIPTION: PostgreSQL is vulnerable to a buffer overflow, caused by improper bounds checking by the SQL array values. By sending a specially crafted request, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271226 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2024-0985 DESCRIPTION: PostgreSQL could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when running in REFRESH MATERIALIZED VIEW CONCURRENTLY. By persuading a victim to run command a specially crafted view, an attacker could exploit this vulnerability to execute arbitrary SQL functions as the command issuer.
CVSS Base score: 8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282771 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2023-5870 DESCRIPTION: PostgreSQL is vulnerable to a denial of service, caused by a flaw in the pg_signal_backend role. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 2.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271227 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Storage Scale System 6.1.0.0 - 6.1.2.9
IBM Storage Scale System 6.1.3.0 - 6.1.9.2

Remediation/Fixes

IBM recommends that you fix this vulnerability by upgrading affected versions of IBM Storage Scale System 3000, 3200, 3500, 5000 and 6000 to the following code levels or higher:

V6.2.0.0

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software defined storage&product=ibm/StorageSoftware/IBM+Storage+Scale+System&release=6.2.0&platform=All&function=all

V6.1.9.3

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software defined storage&product=ibm/StorageSoftware/IBM+Storage+Scale+System&release=6.1.9&platform=All&function=all

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmscale_out_network_attached_storageMatch6.1.
VendorProductVersionCPE
ibmscale_out_network_attached_storage6.1.cpe:2.3:h:ibm:scale_out_network_attached_storage:6.1.:*:*:*:*:*:*:*

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

9

Confidence

High

EPSS

0.015

Percentile

87.0%