Security Bulletin: Multiple Vulnerabilities in Multicloud Management Security Services

Summary

Multiple vulnerabilities were fixed in IBM Cloud Pak for Multicloud Management Security Services

Vulnerability Details

CVEID:CVE-2022-31512
**DESCRIPTION:**flask-mvc could allow a remote attacker to traverse directories on the system, caused by the Flask send_file function being used unsafely. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system or cause a denial of service.
CVSS Base score: 9.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231110 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L)

CVEID:CVE-2022-31504
**DESCRIPTION:**BaiduWenkuSpider_flaskWeb could allow a remote attacker to traverse directories on the system, caused by the Flask send_file function being used unsafely. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system or cause a denial of service.
CVSS Base score: 9.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231126 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L)

CVEID:CVE-2022-31527
**DESCRIPTION:**flask-file-server could allow a remote attacker to traverse directories on the system, caused by the Flask send_file function being used unsafely. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system or cause a denial of service.
CVSS Base score: 9.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231055 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L)

CVEID:CVE-2022-32148
**DESCRIPTION:**Golang Go could allow a remote attacker to obtain sensitive information, caused by improper exposure of client IP addresses in net/http. By calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, an attacker could exploit this vulnerability to obtain the client IP address information, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/233148 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

Upgrade to IBM Cloud Pak for Multicloud Management 2.3 Fix Pack 6 by following the instructions in

<https://www.ibm.com/docs/en/cloud-paks/cp-management/2.3.x?topic=upgrade-upgrading-fix-pack-6&gt;

Workarounds and Mitigations

None