IBM28523A381C6C377C3A9FFF9029ED96205F79ABF30FD592139FA5D253C069AF02Security Bulletin: IBM Storage Fusion HCI is vulnerable to unauthorized access due to a flaw in Ceph RGW.
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
6.2 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.2%
Summary
Ceph is used by IBM Storage Fusion HCI if IBM Storage Fusion HCI is configured with the Data Foundation service. CVE-2023-43040.
Vulnerability Details
CVEID:CVE-2023-43040
**DESCRIPTION:**IBM Spectrum Fusion HCI could allow an attacker to perform unauthorized actions in RGW for Ceph due to improper bucket access.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266807 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L)
Affected Products and Versions
Affected Product(s)|**Version(s)
**
—|—
IBM Storage Fusion HCI| 2.5.2 - 2.7.2
Remediation/Fixes
| Product(s) | **Version(s) number and/or range ** | Remediation/Fix/Instructions |
|---|---|---|
| IBM Storage Fusion HCI | 2.5.2 - 2.7.2 | Upgrade IBM Storage Fusion HCI to v2.8.0, then upgrade Data Foundation |
For upgrade instructions, see
- Readme: IBM Storage Fusion HCI for Fusion HCI upgrade instructions
- Upgrading Fusion Data Foundation Service
Workarounds and Mitigations
NA
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm storage fusion hci appliance software | eq | 2.8.0 |
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
6.2 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.2%