IBMD603AA0A0A99B49B6D8B712F2B2E54C1A731A407B1123804E15314B3BBAA1BB3Security Bulletin: IBM Cinder plug-in is affected by a vulnerability in the Python cryptography-40.0.0 package [CVE-2023-38325]
Summary
The Python cryptography package which provides both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, message digests, and key derivation functions, is used by IBM Cinder plug-in. cryptography-40.0.0 package could provide weaker than expected security, caused by an encoding mismatch regarding critical options with OpenSSH (vulnerability CVE-2023-38325).
Vulnerability Details
CVEID:CVE-2023-38325
**DESCRIPTION:**Python Cryptographic Authority cryptography could provide weaker than expected security, caused by an encoding mismatch regarding critical options with OpenSSH. An attacker could exploit this vulnerability to launch further attacks on the system
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260859 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| Cinder Plug-in | All |
Remediation/Fixes
Update Python to version >= 3.9
Update cryptography library to version >= 41.0.3
Please note:
- The plugin will still work on Python < 3.9, but it is necessary to update to fix this vulnerability as the fixed version of cryptography library is not supported on Python < 3.9
- IBM Cinder SVf driver has been tested using non-vulnerable version of cryptography library.
Workarounds and Mitigations
None
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| cinder plug-in | eq | any |
Related
6.2 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
25.6%