CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
73.8%
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v4.8.5 is affected by arbitrary code execution in OpenSSH server, caused by a signal handler race condition [CVE-2024-6387]. Open SSH is a component of a glibc library that is included in our Speech Service Runtimes, but not actively used. A hotfix has been created which addresses this latant issue. Please read the details for remediation below.
CVEID:CVE-2024-6387
**DESCRIPTION:**OpenSSH could allow a remote attacker to execute arbitrary code on the system, caused by a signal handler race condition. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code with root privileges on glibc-based Linux systems.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/296064 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data | 4.8.5 |
Product(s)|**Version(s)
**|Remediation/Fix/Instructions
—|—|—
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data| 4.8.5| The hotfix applies to version 4.8.5 and can be installed by running the command line interface command below, which will apply a new Speech Services Runtime image:
**
The hotfix should be applied from the client workstation that Cloud Pak for Data was installed from. For details on how to set up a client workstation see: <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.8.x?topic=installing-setting-up-client-workstation>.
The hotfix command requires the same environment variables used in the installation or upgrade to be configured. To re-configure them, refer to <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.8.x?topic=information-setting-up-installation-environment-variables>
Hotfix Command:
**cpd-cli manage update-cr --cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS } --component=watson_speech --patch=“{"image_digests":{"stt_runtime_chuck":"sha256:d8a00125fc2fba8e1fa516e97c6de40fc4d6dddd5b2b41ca649f0c6465b11984","tts_runtime_chuck":"sha256:d8a00125fc2fba8e1fa516e97c6de40fc4d6dddd5b2b41ca649f0c6465b11984","am_patcher_chuck":"sha256:d8a00125fc2fba8e1fa516e97c6de40fc4d6dddd5b2b41ca649f0c6465b11984"}}”
None
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
73.8%