Security Bulletin: IBM Storage Ceph is vulnerable to Improper Restriction of Operations within the Bounds of a Memory Buffer in the RHEL UBI (CVE-2023-39615)

2024-08-0522:03:30

www.ibm.com

ibm storage ceph

buffer overflow

rhel ubi

cve-2023-39615

xmlsoft libxml2

denial of service

ibm

upgrade

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

AI Score

7.6

Confidence

High

EPSS

0.001

Percentile

27.8%

JSON

Summary

RHEL UBI is used by IBM Storage Ceph as the base operating system. This bulletin identifies the steps to take to address the vulnerability in the RHEL UBI. CVE-2023-39615.

Vulnerability Details

CVEID:CVE-2023-39615
**DESCRIPTION:**Xmlsoft Libxml2 is vulnerable to a denial of service, caused by a global buffer overflow in the xmlSAX2StartElement() function at /libxml2/SAX2.c. By supplying a crafted XML file, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264758 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Storage Ceph	7.0
IBM Storage Ceph	6.1z1-z3, 6.0
IBM Storage Ceph	5.3z1-z5

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.
Download the latest version of IBM Storage Ceph and upgrade to 7.0z1 or later by following instructions.

<https://public.dhe.ibm.com/ibmdl/export/pub/storage/ceph/>
<https://www.ibm.com/docs/en/storage-ceph/7?topic=upgrading>