Security Bulletin: IBM Storage Ceph is vulnerable to CWE in the RHEL UBI (CVE-2023-28487)

Summary

RHEL UBI is used by IBM Storage Ceph as the base operating system. This bulletin identifies the steps to take to address the vulnerability in the RHEL UBI. CVE-2023-28487.

Vulnerability Details

CVEID:CVE-2023-28487
**DESCRIPTION:**Sudo Project Sudo could allow a remote attacker to obtain sensitive information, caused by improper escaping terminal control characters by the “sudoreplay -l” command. By sending specially crafted terminal control commands, an attacker could exploit this vulnerability to obtain restricted information information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250350 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.
Download the latest version of IBM Storage Ceph and upgrade to 7.0 by following instructions.

<https://public.dhe.ibm.com/ibmdl/export/pub/storage/ceph/&gt;
<https://www.ibm.com/docs/en/storage-ceph/7?topic=upgrading&gt;

Workarounds and Mitigations

None