IBME1CA1A248D211308DF0941EC1023CEDDD5ED41C73E133CF02B3BB4B3DC3BB284Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Netty
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
47.2%
Summary
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data contains a vulnerable version of Netty.
Vulnerability Details
CVEID:CVE-2023-34462
**DESCRIPTION:**Netty is vulnerable to a denial of service, caused by a flaw with allocating up to 16MB of heap for each channel during the TLS handshake the SniHandler class. By sending a specially crafted client hello packet, a remote authenticated attacker could exploit this vulnerability to cause a OutOfMemoryError and so result in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258713 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| Watson Discovery |
4.0.0-4.7.1
Remediation/Fixes
Upgrade to IBM Watson Discovery 4.7.3
<https://cloud.ibm.com/docs/discovery-data?topic=discovery-data-install>
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | watson_discovery | 4.0.0 | cpe:2.3:a:ibm:watson_discovery:4.0.0:*:*:*:*:*:*:* |
| ibm | watson_discovery | 4.7.1 | cpe:2.3:a:ibm:watson_discovery:4.7.1:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
47.2%