NvidiaNVIDIA:5559Security Bulletin: NVIDIA Mellanox OS, ONYX, Skyway, MetroX-3 XC - July 2024
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
20.0%
NVIDIA has released a firmware update for NVIDIA Mellanox OS, ONYX, Skyway, and MetroX-3 XC. To protect your system, download and install this firmware update from the NVIDIA Enterprise Support Portal.
Go to NVIDIA Product Security.
Details
This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.
| CVE ID | Description | Vector | Base Score | Severity | CWE | Impacts |
|---|---|---|---|---|---|---|
| CVE-2024-0101 | NVIDIA Mellanox OS, ONYX, Skyway, MetroX-2 and MetroX-3 XC contain a vulnerability in ipfilter, where improper ipfilter definitions could enable an attacker to cause a failure by attacking the switch. A successful exploit of this vulnerability might lead to denial of service. | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 7.5 | High | CWE‑693 | Denial of service |
| CVE-2024-0104 | NVIDIA Mellanox OS, ONYX, Skyway, MetroX-2 and MetroX-3 XC contain a vulnerability in the LDAP AAA component, where a user can cause improper access. A successful exploit of this vulnerability might lead to information disclosure, data tampering, and escalation of privileges. | AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N | 4.2 | Medium | CWE‑284 | Information disclosure, data tampering, escalation of privileges |
The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends evaluating the risk to your specific configuration.
Security Updates
The following table lists the NVIDIA products affected, versions affected, and the updated version that includes this security update.
| CVE IDs Addressed | Affected Products | Platform or OS | Affected Versions | Updated Version |
|---|
CVE‑2024-0101
| Mellanox OS | Mellanox OS | All versions prior to and including 3.11.1000 | 3.11.2002
ONYX | ONYX LTS | All versions prior to and including 3.10.4300 | 3.10.4402
Skyway | Skyway | All versions prior to and including 8.2.1000 | 8.2.2000
Skyway LTS | All versions prior to and including 8.1.4300 | 8.1.4400
MetroX-3 XC | MetroX | All versions prior to and including 18.2.1000 | 18.2.2000
MetroX-2 | MetroX | All versions prior to and including 3.11.1000 | 3.11.2002
CVE‑2024-0104 | Mellanox OS | Mellanox OS LTS | All versions prior to and including 3.11.2100 | 3.11.2202
ONYX | ONYX LTS | All versions prior to and including 3.10.4302 | 3.10.4402
Skyway | Skyway | All versions prior to and including 8.2.2100 | 8.2.2202
MetroX-3 XC | MetroX | All versions prior to and including 18.2.2100 | 18.2.2200
MetroX-2 | MetroX | All versions prior to and including 3.11.1000 | 3.11.2002
Notes
- Earlier software releases of this product are also affected. If you are using an earlier release, upgrade to the latest release version.
Get the Most Up-to-Date Product Security Information
Visit the NVIDIA Product Security page to
- Subscribe to security bulletin notifications
- See the current list of NVIDIA security bulletins
- Report a potential security issue in any NVIDIA supported product
- Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
20.0%