Lucene search

K
ibmIBME9A068E1D83449E8020C0ECA80AD791DBAC984BC89987CE008ED1AE0A9257FEB
HistoryMay 15, 2024 - 5:11 p.m.

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Apache ZooKeeper security bypass vulnerabilitiy. (CVE-2023-44981)

2024-05-1517:11:30
www.ibm.com
16
ibm watson assistant
cloud pak for data
vulnerability
apache zookeeper
security bypass
cve-2023-44981
upgrade
remediation
installation instructions
ibm documentaries

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.1

Confidence

High

EPSS

0.004

Percentile

72.6%

Summary

Potential Apache ZooKeeper security bypass vulnerabilitiy (CVE-2023-44981) has been identified that affects IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability has been addressed. Refer to details for additional information.

Vulnerability Details

**CVEID:**CVE-2023-44981 DESCRIPTION: Apache ZooKeeper could allow a remote attacker to bypass security restrictions, caused by a flaw when SASL Quorum Peer authentication is enabled. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass authorization and allow arbitrary endpoints to join the cluster and begin propagating counterfeit changes.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268362 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Affected Version(s)
IBM Watson Assistant for IBM Cloud Pak for Data 4.0.0 - 4.8.4

Remediation/Fixes

For all affected versions, IBM strongly recommends addressing the vulnerability now by upgrading to the latest (v4.8.5 or later releases) release of IBM Watson Assistant for IBM Cloud Pak for Data which maintains backward compatibility with the versions listed above.

Product Latest Version Remediation/Fix/Instructions
IBM Watson Assistant for IBM Cloud Pak for Data 4.8.5 Follow instructions for Installing Watson Assistant in Link to Release (v4.8.5 release information) https://www.ibm.com/docs/en/cloud-paks/cp-data/4.8.x

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmwatson_assistant_for_ibm_cloud_pak_for_dataRange4.0.0
OR
ibmwatson_assistant_for_ibm_cloud_pak_for_dataRange4.8.4
VendorProductVersionCPE
ibmwatson_assistant_for_ibm_cloud_pak_for_data*cpe:2.3:a:ibm:watson_assistant_for_ibm_cloud_pak_for_data:*:*:*:*:*:*:*:*

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.1

Confidence

High

EPSS

0.004

Percentile

72.6%