Security Bulletin: Vulnerabilities in Certifi, cryptography, python-requests and Tornado can affect IBM Storage Protect Plus Microsoft File Systems Backup and Restore [CVE-2023-37920, CVE-2023-38325, CVE-2023-32681, CVE-2023-28370]

2023-09-1809:56:16

www.ibm.com

ibm storage protect plus

certifi

cryptography

python-requests

tornado

vulnerabilities

phishing attacks

sensitive information

weaker security

ibm spectrum protect plus

ibm storage protect

ibm spectrum protect brand change

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

68.3%

JSON

Summary

IBM Storage Protect Plus Microsoft File Systems Backup and Restore can be affected by vulnerabilities in Certifi, cryptography, python-requests and Tornado which include obtaining sensitive information, phishing attacks and weaker security, as described by the CVEs in the “Vulnerability Details” section. These vulnerabilities have been addressed.

Vulnerability Details

CVEID:CVE-2023-37920
**DESCRIPTION:**An unspecified error with the removal of e-Tugra root certificate in Certifi has an unknown impact and attack vector.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261639 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-38325
**DESCRIPTION:**Python Cryptographic Authority cryptography could provide weaker than expected security, caused by an encoding mismatch regarding critical options with OpenSSH. An attacker could exploit this vulnerability to launch further attacks on the system
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260859 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-32681
**DESCRIPTION:**python-requests could allow a remote attacker to obtain sensitive information, caused by the leaking of Proxy-Authorization headers to destination servers during redirects to an HTTPS origin. By persuading a victim to click on a specially crafted URL, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256114 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N)

CVEID:CVE-2023-28370
**DESCRIPTION:**Tornado could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability to redirect a victim to arbitrary Web sites.
CVSS Base score: 3.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255985 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Spectrum Protect Plus File Systems Agent	10.1.6 - 10.1.14
IBM Storage Protect Plus File Systems Agent	10.1.15

**Note:**The product now known as IBM Storage Protect Plus was named IBM Spectrum Protect Plus in levels earlier than 10.1.15. To learn more about the brand change, see IBM Spectrum Protect brand change to IBM Storage Protect.