Lucene search

IBM32ECEAD822D05752425BF7FEED6C5D70E8F657CE0D09681EE5B599EE5404753D

HistorySep 29, 2022 - 10:36 p.m.

Security Bulletin: Vulnerability in Ansible bundled with IBM Spectrum Fusion HCI

2022-09-2922:36:09

www.ibm.com

ibm spectrum fusion

ansible

vulnerability

disclosure

sensitive information

authentication

bypass

security restrictions

authorization

fix

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

37.0%

JSON

Summary

IBM Spectrum Fusion includes Ansible which could allow a local authenticated attacker to obtain sensitive information (CVE-2021-20180)

Vulnerability Details

CVEID:CVE-2021-20180
**DESCRIPTION:**Ansible could allow a local authenticated attacker to obtain sensitive information, caused by disclosure of information in the console log when using the bitbucket_pipeline_variable. An attacker could exploit this vulnerability to steal bitbucket_pipeline credentials.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222527 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2021-3589
**DESCRIPTION:**Foreman Ansible could allow a remote authenticated attacker to bypass security restrictions, caused by an authorization flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to access hosts through job templates.
CVSS Base score: 6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222525 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Spectrum Fusion HCI	2.1

Remediation/Fixes

IBM Spectrum Fusion’s version of Ansible has been updated to remediate this vulnerability:

Release	Link to Fix
IBM Spectrum Fusion HCI v2.3	<https://www.ibm.com/support/pages/node/6611399>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmstorage_fusion_hciMatch2.3

VendorProductVersionCPE
ibmstorage_fusion_hci2.3cpe:2.3:a:ibm:storage_fusion_hci:2.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	storage_fusion_hci	2.3	cpe:2.3:a:ibm:storage_fusion_hci:2.3:::::::*

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

37.0%

JSON

Related for 32ECEAD822D05752425BF7FEED6C5D70E8F657CE0D09681EE5B599EE5404753D