Lucene search

IBMDC7CB1314C51B7C115D6E2FEC51D06B1B59315B20D368C7C951E7D33EBB691D1

HistoryJan 09, 2024 - 3:46 p.m.

Security Bulletin: Multiple vulnerabilities in containerd may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2023-25153, CVE-2023-25173)

2024-01-0915:46:13

www.ibm.com

containerd

ibm decision optimization

ibm cloud pak for data

vulnerabilities

denial of service

memory exhaustion

bypass security

upgrade

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

35.1%

JSON

Summary

There are multiple vulnerabilities in containerd used by IBM Decision Optimization for IBM Cloud Pak for Data. IBM Decision Optimization for IBM Cloud Pak for Data has addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2023-25153
**DESCRIPTION:**containerd is vulnerable to a denial of service, caused by a memory exhaustion flaw when importing an OCI image. By using a specially-crafted image with a large file, a local attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247777 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-25173
**DESCRIPTION:**containerd could allow a local authenticated attacker to bypass security restrictions, caused by improper setup for supplementary groups inside a container. By sending a specially-crafted request using supplementary group access, an attacker could exploit this vulnerability to bypass primary group restrictions.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247778 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
Decision Optimization for Cloud Pak for Data	All

Remediation/Fixes

Users are strongly encouraged to upgrade to IBM Decision Optimization for IBM Cloud Pak for Data 4.8 and subsequent releases.
Here is the detailed information on Upgrading IBM Cloud Pak for Data

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmcloud_pak_for_dataMatchany

CPENameOperatorVersion
decision optimization for cloud pak for dataeqany

CPE	Name	Operator	Version
	decision optimization for cloud pak for data	eq	any

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

35.1%

JSON

Related for DC7CB1314C51B7C115D6E2FEC51D06B1B59315B20D368C7C951E7D33EBB691D1