Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMF0BEE71D1E1E1F410EAE7CBBF899A463124708682905DE5AB537B39047C97A14
HistoryDec 15, 2022 - 1:55 a.m.

Security Bulletin: Multiple Vulnerabilities in CloudPak for Watson AIOPs

2022-12-1501:55:24
www.ibm.com
8

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

71.1%

JSON

Summary

Multiple vulnerabilities were fixed in IBM Cloud Pak for Watson AIOps version 3.6.

Vulnerability Details

CVEID:CVE-2018-8023
**DESCRIPTION:**Apache Mesos could allow a remote attacker to obtain sensitive information, caused by a timing attack in the JSON Web Token (JWT) implementation. By abusing the timing difference of when the JWT validation function returns, an attacker could exploit this vulnerability to obtain the valid HMAC value.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/150215 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2022-21626
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238689 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-1552
**DESCRIPTION:**PostgreSQL remote authenticated attacker to bypass security restrictions, caused by an issue with not activate protection or too late with the Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary SQL functions under a superuser identity.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226521 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-41854
**DESCRIPTION:**snakeYAML is vulnerable to a denial of service, caused by improper input validation. By persuading a victim to open a specially-crafted YAML content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240890 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-23806
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw with IsOnCurve function returns true for invalid field elements. By sending a specially-crafted request, an attacker could exploit this vulnerability to causes a panic in ScalarMult, and results in a denial of condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219444 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud Pak for Watson AIOps 3.x
IBM Cloud Pak for Watson AIOps 3.x
IBM Cloud Pak for Watson AIOps 3.x
IBM Cloud Pak for Watson AIOps 3.x
IBM Cloud Pak for Watson AIOps 3.x

Remediation/Fixes

IBM strongly suggests that you address the vulnerabilities now for all affected products/versions listed above by installing Fix:

<https://www.ibm.com/docs/en/SSJGDOB_3.6.0/upgrading/upgrading.html&gt;

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm cloud pak for watson aiopseq3.6

Related

redhatcve 5
osv 16
prion 4
cve 5
github 2
ibm 32
openvas 22
nessus 46
ubuntucve 4
cbl_mariner 6
veracode 4
alpinelinux 3
debiancve 4
fedora 1
altlinux 11
oraclelinux 5
debian 2
rocky 4
amazon 1
redhat 12
suse 2
ubuntu 2
cloudfoundry 1
centos 1
almalinux 2
freebsd 1
broadcom 1
redhatcve
redhatcve
CVE-2018-8023
2018-09-25 15:49:34
CVE-2022-41854
2022-12-09 13:34:48
CVE-2022-23806
2022-02-11 10:46:58
osv
osv
Moderate severity vulnerability that affects org.apache.mesos:mesos
2018-10-17 19:54:14
CVE-2018-8023
2018-09-21 13:29:01
BIT-golang-2022-23806
2024-03-06 11:02:30
prion
prion
Authentication flaw
2018-09-21 13:29:00
Design/Logic Flaw
2022-02-11 01:15:00
Stack overflow
2022-11-11 13:15:00
cve
cve
CVE-2018-8023
2018-09-21 13:29:00
CVE-2022-41854
2022-11-11 13:15:00
CVE-2022-23806
2022-02-11 01:15:00
github
github
Moderate severity vulnerability that affects org.apache.mesos:mesos
2018-10-17 19:54:14
Snakeyaml vulnerable to Stack overflow leading to denial of service
2022-11-11 19:00:31
ibm
ibm
Security Bulletin: There is a security vulnerability in snakeYAML used by IBM Maximo Data Loader (CVE-2022-41854)
2023-03-28 13:29:35
Security Bulletin: Operations Dashboard is vulnerable to Go CVE-2022-23806
2022-04-08 14:54:10
Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2022-23806
2022-05-09 17:36:36
openvas
openvas
Fedora: Security Advisory for picocli (FEDORA-2023-27ec59a486)
2023-07-08 00:00:00
Oracle Java SE Security Update (oct2022) 04 - Windows
2022-10-19 00:00:00
Oracle OpenJDK Unspecified Vulnerability (Oct 2022)
2022-10-19 00:00:00
nessus
nessus
Fedora 36 : snakeyaml (2022-8a4e8aa190)
2022-12-23 00:00:00
Fedora 38 : picocli (2023-27ec59a486)
2023-07-06 00:00:00
Debian DSA-5135-1 : postgresql-11 - security update
2022-05-13 00:00:00
ubuntucve
ubuntucve
CVE-2022-41854
2022-11-11 00:00:00
CVE-2022-23806
2022-02-11 00:00:00
CVE-2022-21626
2022-10-18 00:00:00
cbl_mariner
cbl_mariner
CVE-2022-41854 affecting package snakeyaml 1.25-2
2024-04-25 09:08:17
CVE-2022-23806 affecting package golang 1.17.13-2
2022-02-25 01:45:48
CVE-2022-23806 affecting package golang 1.18.8-2
2022-04-26 19:57:46
veracode
veracode
Remote Code Execution (RCE)
2022-02-14 08:44:04
Denial Of Service (DoS)
2022-11-17 12:37:25
Improper Access Control
2022-10-23 18:35:29
alpinelinux
alpinelinux
CVE-2022-23806
2022-02-11 01:15:00
CVE-2022-21626
2022-10-18 21:15:00
CVE-2022-1552
2022-08-31 16:15:00
debiancve
debiancve
CVE-2022-23806
2022-02-11 01:15:00
CVE-2022-41854
2022-11-11 13:15:00
CVE-2022-21626
2022-10-18 21:15:00
fedora
fedora
[SECURITY] Fedora 38 Update: picocli-4.7.4-1.fc38
2023-07-06 02:19:58
altlinux
altlinux
Security fix for the ALT Linux 9 package postgresql11 version 11.16-alt0.M90P.1
2022-05-18 00:00:00
Security fix for the ALT Linux 10 package postgresql14-1C version 14.3-alt1
2022-05-13 00:00:00
Security fix for the ALT Linux 10 package postgresql15-1C version 14.3-alt1
2022-05-11 00:00:00
oraclelinux
oraclelinux
postgresql:13 security update
2022-06-02 00:00:00
postgresql security update
2022-06-22 00:00:00
postgresql security update
2022-06-30 00:00:00
debian
debian
[SECURITY] [DSA 5135-1] postgresql-11 security update
2022-05-12 19:28:08
[SECURITY] [DSA 5136-1] postgresql-13 security update
2022-05-12 19:28:35
rocky
rocky
postgresql:13 security update
2022-06-01 13:45:22
postgresql security update
2022-05-30 07:19:50
postgresql:10 security update
2022-05-30 11:39:32
amazon
amazon
Important: postgresql
2022-09-01 21:09:00
redhat
redhat
(RHSA-2022:4894) Important: postgresql:10 security update
2022-06-02 09:21:25
(RHSA-2022:5162) Important: postgresql security update
2022-06-22 08:54:12
(RHSA-2022:4913) Important: rh-postgresql10-postgresql security update
2022-06-06 06:49:47
suse
suse
Security update for postgresql12 (important)
2022-05-31 00:00:00
Security update for postgresql10 (important)
2022-05-31 00:00:00
ubuntu
ubuntu
PostgreSQL vulnerability
2022-10-13 00:00:00
PostgreSQL vulnerability
2022-05-24 00:00:00
cloudfoundry
cloudfoundry
USN-5440-1: PostgreSQL vulnerability | Cloud Foundry
2022-07-28 00:00:00
centos
centos
postgresql security update
2022-08-02 19:22:33
almalinux
almalinux
Important: postgresql:12 security update
2022-05-31 07:56:56
Important: postgresql:10 security update
2022-05-30 11:39:32
freebsd
freebsd
PostgreSQL Server -- execute arbitrary SQL code as DBA user
2022-05-11 00:00:00
broadcom
broadcom
CVE-2022-1552 : Autovacuum, REINDEX, and others omit "security restricted operation" sandbox
2023-05-19 00:00:00

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

71.1%

JSON
Related for F0BEE71D1E1E1F410EAE7CBBF899A463124708682905DE5AB537B39047C97A14
redhatcve5osv16prion4cve5github2ibm32openvas22nessus46ubuntucve4cbl_mariner6veracode4alpinelinux3debiancve4fedora1altlinux11oraclelinux5debian2rocky4amazon1redhat12suse2ubuntu2cloudfoundry1centos1almalinux2freebsd1broadcom1