Lucene search

K
ibmIBMFD2138ED412AA33EED105632A1EF49F20BD3B59BE432CA47B9A672924B3D4F9C
HistoryOct 12, 2023 - 7:06 p.m.

Security Bulletin: DataPower Operator vulnerable to DOS (CVE-2023-29409)

2023-10-1219:06:19
www.ibm.com
11
ibm
datapower operator
denial of service
cve-2023-29409
golang go
remote attacker
cpu time
version 1.8.0
version 1.6.9

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0.001 Low

EPSS

Percentile

25.8%

Summary

IBM has addressed the CVE

Vulnerability Details

CVEID:CVE-2023-29409
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw. By persuading a victim to use a specially crafted certificate with large RSA keys, an remote attacker could exploit this vulnerability to cause a client/server to expend significant CPU time verifying signatures, and results in a denial of service condition.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262400 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
DataPower Operator 1.7.0
DataPower Operator 1.6.0-1.6.8

Remediation/Fixes

Affected Product(s) Fixed in version
1.7.0 1.8.0
1.6.0 - 1.6.8 1.6.9

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmdatapower_gatewayMatch10.0.1
OR
ibmdatapower_gatewayMatch10.5.0
OR
ibmdatapower_gatewayMatch10

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0.001 Low

EPSS

Percentile

25.8%