IBMD44DB5B77259529622595F70A226438B33DB78F7D4EAC97DADCB83EEF833F1CFSecurity Bulletin: Vulnerabilityies in Google Guava affect IBM watsonx.data
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
Summary
Google Guava has vulnerabilities that could allow a local authenticated attacker to obtain sensitive information, allow a remote authenticated attacker to bypass security restrictions and be vulnerable to demial of service attacks. This can affect watsonx.data.
Vulnerability Details
CVEID:CVE-2023-2976
**DESCRIPTION:**Google Guava could allow a local authenticated attacker to obtain sensitive information, caused by a flaw with using Java’s default temporary directory for file creation in FileBackedOutputStream. By sending a specially crafted request, an attacker could exploit this vulnerability to access the files in the default Java temporary directory, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258199 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2018-10237
**DESCRIPTION:**Google Guava is vulnerable to a denial of service, caused by improper eager allocation checks in the AtomicDoubleArray and CompoundOrdering class. By sending a specially-crafted data, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/142508 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2020-8908
**DESCRIPTION:**Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir(). By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192996 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| watsonx.data | 1.1.0 - 2.0.2 |
Remediation/Fixes
The product needs to be installed or upgraded to the latest available level watsonx.data 2.0.3 or watsonx.data on CPD 5.0.3. Installation/upgrade instructions can be found here: <https://www.ibm.com/docs/en/watsonx/watsonxdata/2.0.x?topic=deployment-installing.>
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | ibm_watsonx_subscription | 1.1.0 | cpe:2.3:a:ibm:ibm_watsonx_subscription:1.1.0:*:*:*:*:*:*:* |
| ibm | ibm_watsonx_subscription | 2.0.2 | cpe:2.3:a:ibm:ibm_watsonx_subscription:2.0.2:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
Low