Lucene search

K
ibmIBMF059134BB0EF11F0543CB1521608EFC4B6C64500691ABA9F113C765E340A00DD
HistorySep 06, 2024 - 3:43 p.m.

Security Bulletin: IBM DataPower Gateway vulnerable to multiple kernel CVEs

2024-09-0615:43:01
www.ibm.com
12
ibm datapower gateway
kernel vulnerabilities
10.5.0.12
cve-2023-2162
cve-2023-1073
cve-2023-45871
buffer overflow
memory corruption
elevated privileges
vulnerability remediation

CVSS3

7.5

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

Summary

IBM DataPower Gateway has addressed multiple CVEs in 10.5.0.12

Vulnerability Details

**CVEID:**CVE-2023-2162 DESCRIPTION: Linux Kernel could allow a local attacker to obtain sensitive information, caused by a use-after-free flaw in the iscsi_sw_tcp_session_create function in drivers/scsi/iscsi_tcp.c in the SCSI sub-component. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain kernel internal information, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253490 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2023-1073 DESCRIPTION: Linux Kernel could allow a physical authenticated attacker to gain elevated privileges on the system, caused by a memory corruption flaw in the human interface device (HID) subsystem. By using a specially crafted USB device , an attacker could exploit this vulnerability to gain elevated privileges or cause a denial of service condition.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251322 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2023-45871 DESCRIPTION: Linux Kernel is vulnerable to a buffer overflow, caused by improper bounds checking by the IGB driver in drivers/net/ethernet/intel/igb/igb_main.c. By sending a specially crafted request, a remote attacker from within the local network could overflow a buffer and execute arbitrary code or cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268717 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM DataPower Gateway 10.5.0 10.5.0.0 - 10.5.0.11

Remediation/Fixes

These CVEs have been addressed in IBM DataPower Gateway 10.5.0.12, under APAR IT46823

IBM strongly recommends addressing the vulnerability now.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmdatapower_gatewayMatch10.5.0
OR
ibmdatapower_gatewayMatch10.6.0
VendorProductVersionCPE
ibmdatapower_gateway10.5.0cpe:2.3:a:ibm:datapower_gateway:10.5.0:*:*:*:*:*:*:*
ibmdatapower_gateway10.6.0cpe:2.3:a:ibm:datapower_gateway:10.6.0:*:*:*:*:*:*:*

CVSS3

7.5

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High