Lucene search

K
ibmIBME01BC232A5A6D2221929DA11F33802C00304860CF5C98980EF676A16EB2634EF
HistoryDec 06, 2023 - 3:44 p.m.

Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to DOS due to opm ( CVE-2023-25173, CVE-2023-25153 ).

2023-12-0615:44:04
www.ibm.com
18
ibm cloud pak data
dos vulnerability
opm
cve-2023-25173
cve-2023-25153
containerd
version 4.8 fix

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

48.8%

Summary

Opm is used by IBM Cloud Pak for Data Scheduling as part of the ibm-cpd-scheduler-operator-catalog image used for installation of the Scheduler.

Vulnerability Details

**CVEID:**CVE-2023-25173 DESCRIPTION: containerd could allow a local authenticated attacker to bypass security restrictions, caused by improper setup for supplementary groups inside a container. By sending a specially-crafted request using supplementary group access, an attacker could exploit this vulnerability to bypass primary group restrictions.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247778 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**CVE-2023-25153 DESCRIPTION: containerd is vulnerable to a denial of service, caused by a memory exhaustion flaw when importing an OCI image. By using a specially-crafted image with a large file, a local attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247777 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Products/Versions guidance:

Affected Product(s)|**Version(s)
**
โ€”|โ€”
IBM Cloud Pak for Data Scheduling| 4.6.4 - 4.7.4

Remediation/Fixes

Remediation/Fixes guidance :

IBM strongly recommends addressing the vulnerability now.

Product(s) Version(s) number and/or range Remediation/Fix/Instructions
IBM Cloud Pak for Data Scheduling 4.6.4 - 4.7.4 Download v4.8 and follow instructions

Note: IBM Cloud Pak for Data Scheduling is bundled with IBM Cloud Pak for Data to provide advanced scheduling features.

Workarounds and Mitigations

Workarounds/Mitigation guidance :

None

Affected configurations

Vulners
Node
ibmcloud_pak_for_dataMatch4.8.0
VendorProductVersionCPE
ibmcloud_pak_for_data4.8.0cpe:2.3:a:ibm:cloud_pak_for_data:4.8.0:*:*:*:*:*:*:*

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

48.8%