Lucene search

IBMEC1F4EC9D8BBA02B96B1C1BC377810A42C05241664B59A55A5A9AE5ED45B249C

HistoryJul 22, 2024 - 10:17 p.m.

Security Bulletin: IBM Storage Ceph is vulnerable to Prototype Pollution in Grafana (CVE-2023-36665)

2024-07-2222:17:05

www.ibm.com

ibm storage ceph

prototype pollution

grafana

cve-2023-36665

protobuf

remote code execution

cvss base score 9.8

upgrade.

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

0.005

Percentile

76.6%

JSON

Summary

Protobuf is used by IBM Storage Ceph in Grafana as part of metrics. This bulletin identifies the steps to take to address the vulnerability in Grafana. CVE-2023-36665.

Vulnerability Details

CVEID:CVE-2023-36665
**DESCRIPTION:**protobuf.js could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution. By sending a specially crafted message, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259737 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Storage Ceph	7.0z1 - z2
IBM Storage Ceph	6.1z1 - z5, 6.0
IBM Storage Ceph	5.3z1 - z6

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.
Download the latest version of IBM Storage Ceph and upgrade to 7.1 by following instructions.

<https://public.dhe.ibm.com/ibmdl/export/pub/storage/ceph/>
<https://www.ibm.com/docs/en/storage-ceph/7?topic=upgrading>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmstorage_cephMatch7.0

ibmstorage_cephMatch1

ibmstorage_cephMatch2

ibmstorage_cephMatch6.1

ibmstorage_cephMatch1

ibmstorage_cephMatch6

ibmstorage_cephMatch6.0

ibmstorage_cephMatch5.3

ibmstorage_cephMatch1

ibmstorage_cephMatch6

VendorProductVersionCPE
ibmstorage_ceph7.0cpe:2.3:a:ibm:storage_ceph:7.0:*:*:*:*:*:*:*
ibmstorage_ceph1cpe:2.3:a:ibm:storage_ceph:1:*:*:*:*:*:*:*
ibmstorage_ceph2cpe:2.3:a:ibm:storage_ceph:2:*:*:*:*:*:*:*
ibmstorage_ceph6.1cpe:2.3:a:ibm:storage_ceph:6.1:*:*:*:*:*:*:*
ibmstorage_ceph6cpe:2.3:a:ibm:storage_ceph:6:*:*:*:*:*:*:*
ibmstorage_ceph6.0cpe:2.3:a:ibm:storage_ceph:6.0:*:*:*:*:*:*:*
ibmstorage_ceph5.3cpe:2.3:a:ibm:storage_ceph:5.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	storage_ceph	7.0	cpe:2.3:a:ibm:storage_ceph:7.0:::::::*
ibm	storage_ceph	1	cpe:2.3:a:ibm:storage_ceph:1:::::::*
ibm	storage_ceph	2	cpe:2.3:a:ibm:storage_ceph:2:::::::*
ibm	storage_ceph	6.1	cpe:2.3:a:ibm:storage_ceph:6.1:::::::*
ibm	storage_ceph	6	cpe:2.3:a:ibm:storage_ceph:6:::::::*
ibm	storage_ceph	6.0	cpe:2.3:a:ibm:storage_ceph:6.0:::::::*
ibm	storage_ceph	5.3	cpe:2.3:a:ibm:storage_ceph:5.3:::::::*