Lucene search

K
ibmIBMD62801C78243F99F4BD9B1AD811F5719F33C493EB92FF8BC4666E01644FB3A6E
HistoryJan 03, 2023 - 9:12 a.m.

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Go CVE-2022-32149

2023-01-0309:12:51
www.ibm.com
29

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

46.6%

Summary

Platform Navigator and Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Go CVE-2022-32149 with details below.

Vulnerability Details

CVEID:CVE-2022-32149
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by improper input validation by the golang.org/x/text/language package. By sending a specially-crafted Accept-Language header, a remote attacker could exploit this vulnerability to cause ParseAcceptLanguage to take significant time to parse, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238605 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
Platform Navigator in IBM Cloud Pak for Integration (CP4I) 2020.4.1
2021.1.1
2021.2.1
2021.4.1
2022.2.1
Automation Assets in IBM Cloud Pak for Integration (CP4I) 2020.4.1
2021.1.1
2021.2.1
2021.4.1
2022.2.1

Remediation/Fixes

Platform Navigator version 2020.4.1, 2021.1, 2021.2, 2021.3, 2021.4, or 2022.2 in IBM Cloud Pak for Integration

Upgrade Platform Navigator to either the LTS or CD version:

LTS: 2022.2.1-5 using the Operator upgrade process described in the IBM Documentation

<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.2?topic=upgrading-platform-ui&gt;

CD: 2022.4.1-0 using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.4?topic=upgrading-platform-ui&gt;

Automation Assets version 2020.4.1, 2021.1, 2021.2,** 2021.4, or 2022.2 in IBM Cloud Pak for Integration**

Upgrade Automation Assets Operator to 2022.2.1-4 using the Operator upgrade process described in the IBM Documentation

<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.2?topic=capabilities-upgrading-automation-assets&gt;

Workarounds and Mitigations

None

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

46.6%