Lucene search

K
ibmIBMDED8E022DD51C268A63A5C1B81D17FA91DF9FCB5A2AF5F80919FFC716EC36DE1
HistoryJan 24, 2024 - 7:00 p.m.

Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities (CVE-2023-4806, CVE-2023-4155, CVE-2023-4527)

2024-01-2419:00:38
www.ibm.com
9
ibm security guardium
multiple vulnerabilities
gnu glibc
linux kernel
glibc
denial of service
buffer overflow
update
version 12.0

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H

8.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.8%

Summary

IBM Security Guardium has addressed these vulnerabilities with an update.

Vulnerability Details

CVEID:CVE-2023-4806
**DESCRIPTION:**GNU glibc is vulnerable to a denial of service, caused by a use-after-free flaw in the getaddrinfo() function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266465 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-4155
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a race condition in KVM AMD Secure Encrypted Virtualization (SEV). By sending a specially crafted request using the VMGEXIT handler recursively, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266090 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H)

CVEID:CVE-2023-4527
**DESCRIPTION:**glibc is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the getaddrinfo function. By sending a DNS response over TCP larger than 2048 bytes, a remote attacker could overflow a buffer, allowing an attacker to obtain sensitive information or cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266261 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Security Guardium 12.0

Remediation/Fixes

IBM encourages customers to update their systems promptly.

Product Versions ** Fix**
IBM Security Guardium 12.0 https://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Information+Management/InfoSphere+Guardium&release=12.0&platform=Linux&function=fixId&fixids=SqlGuard_12.0p6003_December-Security-Patch_V12.0&includeSupersedes=0&source=fc

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsecurity_guardiumMatch12.0
CPENameOperatorVersion
ibm security guardiumeq12.0

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H

8.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.8%