IBM Support

Security Bulletin: IBM Cloud Pak for Network Automation 2.4.7 fixes multiple security vulnerabilities

Security Bulletin


Summary

IBM Cloud Pak for Network Automation 2.4.7 fixes multiple security vulnerabilities, listed in the CVEs below.

Vulnerability Details

CVEID:   CVE-2023-24538
DESCRIPTION:   Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by the failure to properly consider backticks (`) as Javascript string delimiters. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/252178 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2023-28859
DESCRIPTION:   Redis redis-py could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with leaving a connection open after canceling an async Redis command at an inopportune time. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251077 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2023-28858
DESCRIPTION:   Redis redis-py could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with leaving a connection open after canceling an async Redis command at an inopportune time. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251076 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2023-28841
DESCRIPTION:   Moby could allow a remote attacker to obtain sensitive information, caused by the missing of encrypted sensitive data within the overlay network driver. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251928 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

CVEID:   CVE-2023-24537
DESCRIPTION:   Golang Go is vulnerable to a denial of service, caused by an infinite loop due to integer overflow when calling any of the Parse functions. By sending a specially crafted input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/252177 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2023-28840
DESCRIPTION:   Moby is vulnerable to a denial of service, caused by an unprotected alternate channel within encrypted overlay networks. By sending a specially crafted request to inject arbitrary Ethernet frames into the encrypted overlay network, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251927 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:L)

CVEID:   CVE-2023-32309
DESCRIPTION:   PyMdown Extensions could allow a remote attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255365 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2022-41717
DESCRIPTION:   Golang Go is vulnerable to a denial of service, caused by a flaw when handling HTTP/2 requests in the Go server. By sending a specially-crafted keys, a remote attacker could exploit this vulnerability to cause excessive memory growth, and results in a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241875 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2022-41716
DESCRIPTION:   Golang Go could allow a remote attacker to bypass security restrictions, caused by improper checking for invalid environment variable values in syscall.StartProcess and os/exec.Cmd. By using a specially-crafted environment variable value, an attacker could exploit this vulnerability to set a value for a different environment variable.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240206 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:   CVE-2022-35255
DESCRIPTION:   Node.js could provide weaker than expected security, caused by the failure to check the return value after calls are made to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. A remote attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236965 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:   CVE-2023-28842
DESCRIPTION:   Moby could allow a remote attacker to bypass security restrictions, caused by an unprotected alternate channel within encrypted overlay networks. By sending a specially crafted request, an attacker could exploit this vulnerability to inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251929 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N)

CVEID:   CVE-2023-1436
DESCRIPTION:   Jettison is vulnerable to a denial of service, caused by an infinite recursion when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250490 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2023-2251
DESCRIPTION:   YAML is vulnerable to a denial of service, caused by an uncaught exception in the parseDocument and parseAllDocuments functions. By sending a specially crafted input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253642 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2022-32149
DESCRIPTION:   Golang Go is vulnerable to a denial of service, caused by improper input validation by the golang.org/x/text/language package. By sending a specially-crafted Accept-Language header, a remote attacker could exploit this vulnerability to cause ParseAcceptLanguage to take significant time to parse, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238605 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2023-24999
DESCRIPTION:   HashiCorp Vault and Vault Enterprise are vulnerable to a denial of service, caused by a flaw when using the approle auth method. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to destroy the secret ID of any other role, and results in a denial of service condition.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249893 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2023-0665
DESCRIPTION:   HashiCorp Vault and Vault Enterprise are vulnerable to a denial of service, caused by improper authorization in the PKI mount issuer endpoints. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251560 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)

CVEID:   CVE-2023-0620
DESCRIPTION:   HashiCorp Vault and Vault Enterprise is vulnerable to SQL injection. A local authenticated attacker could send specially-crafted SQL statements to the Microsoft SQL (MSSQL) Database Storage Backend, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251563 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)

CVEID:   CVE-2023-25000
DESCRIPTION:   HashiCorp Vault and Vault Enterprise could allow a local authenticated attacker to obtain sensitive information, caused by the use of precomputed table lookups in the Shamir implementation. By utilize cache-timing attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251508 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)Version(s)
CP4NA2.x

Remediation/Fixes

As per CVEs listed above

IBM strongly suggests the following remediation / fixes:

IBM Cloud Pak for Network Automation 2.4.7 can be deployed on-premises.

Please go to https://www.ibm.com/docs/en/cloud-paks/cp-network-auto/2.4.x to follow the installation instructions relevant to your chosen architecture.

Workarounds and Mitigations

None.  Upgrade to the latest version.

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

Change History

20 Jun 2023: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSDSDC","label":"IBM Cloud Pak for Network Automation"},"Component":"","Platform":[{"code":"PF040","label":"RedHat OpenShift"}],"Version":"2.x","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
20 June 2023

UID

ibm17005479