Lucene search

K
ibmIBMDDF9238F62368ED85FE32BB95039EB16C08AFCC322EC5A45BDAA62E27568A595
HistoryAug 05, 2024 - 10:03 p.m.

Security Bulletin: IBM Storage Ceph is vulnerable to Improper Input Validation in the RHEL UBI (CVE-2023-27043)

2024-08-0522:03:58
www.ibm.com
13
ibm storage ceph
rhel ubi
improper input validation
cve-2023-27043
python
email
ibm storage ceph 7.1

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

6.4

Confidence

High

EPSS

0.002

Percentile

58.7%

Summary

RHEL UBI is used by IBM Storage Ceph as the base operating system. This bulletin identifies the steps to take to address the vulnerability in the RHEL UBI. CVE-2023-27043.

Vulnerability Details

**CVEID:**CVE-2023-27043 DESCRIPTION: Python could allow a remote attacker to bypass security restrictions, caused by a parsing flaw in the email.utils.parsaddr() and email.utils.getaddresses() functions. By sending a specially-crafted e-mail addresses with a special character, an attacker could exploit this vulnerability to send messages from e-mail addresses that would otherwise be rejected.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253191 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Storage Ceph 7.0z1-z2
IBM Storage Ceph 6.1z1-z6, 6.0
IBM Storage Ceph 5.3z1-z6

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.
Download the latest version of IBM Storage Ceph and upgrade to 7.1 or later by following instructions.

https://public.dhe.ibm.com/ibmdl/export/pub/storage/ceph/
https://www.ibm.com/docs/en/storage-ceph/7?topic=upgrading

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmstorage_cephMatch7.0
OR
ibmstorage_cephMatch1
OR
ibmstorage_cephMatch2
OR
ibmstorage_cephMatch6.1
OR
ibmstorage_cephMatch1
OR
ibmstorage_cephMatch6
OR
ibmstorage_cephMatch6.0
OR
ibmstorage_cephMatch5.3
OR
ibmstorage_cephMatch1
OR
ibmstorage_cephMatch6
VendorProductVersionCPE
ibmstorage_ceph7.0cpe:2.3:a:ibm:storage_ceph:7.0:*:*:*:*:*:*:*
ibmstorage_ceph1cpe:2.3:a:ibm:storage_ceph:1:*:*:*:*:*:*:*
ibmstorage_ceph2cpe:2.3:a:ibm:storage_ceph:2:*:*:*:*:*:*:*
ibmstorage_ceph6.1cpe:2.3:a:ibm:storage_ceph:6.1:*:*:*:*:*:*:*
ibmstorage_ceph6cpe:2.3:a:ibm:storage_ceph:6:*:*:*:*:*:*:*
ibmstorage_ceph6.0cpe:2.3:a:ibm:storage_ceph:6.0:*:*:*:*:*:*:*
ibmstorage_ceph5.3cpe:2.3:a:ibm:storage_ceph:5.3:*:*:*:*:*:*:*

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

6.4

Confidence

High

EPSS

0.002

Percentile

58.7%