Lucene search

IBM466ADEE8CEDC4ABA482CDEA62A38CCACE8C4EF49CFA38A7C3C7E302ABEB25753

HistoryFeb 28, 2024 - 5:16 p.m.

Security Bulletin: Multiple Vulnerabilities in CloudPak for AIOps

2024-02-2817:16:56

www.ibm.com

ibm cloud pak for aiops

version 4.4.1

remote code execution

directory traversal

elevated privileges

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

AI Score

8.8

Confidence

Low

EPSS

0.002

Percentile

61.3%

JSON

Summary

Multiple vulnerabilities were addressed in IBM Cloud Pak for AIOps version 4.4.1

Vulnerability Details

CVEID:CVE-2023-50447
**DESCRIPTION:**Pillow could allow a remote attacker to execute arbitrary code on the system, caused by improper neutralization of user supplied-input by the PIL.ImageMath.eval function. By sending a specially crafted request using keys that leverage the environment parameter, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/280022 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVEID:CVE-2023-49569
**DESCRIPTION:**go-git could allow a remote attacker to traverse directories on the system. By sending a specially crafted request using the ChrootOS <https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS>, an attacker could exploit this vulnerability to create and amend files across the filesystem and possibly execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279932 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2024-23652
**DESCRIPTION:**Moby BuildKit could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted request to remove arbitrary files on the system.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/281107 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H)

CVEID:CVE-2024-23653
**DESCRIPTION:**Moby BuildKit could allow a remote attacker to gain elevated privileges on the system, caused by improper validation of entitlements check in Interactive containers API. By sending a specially crafted request, an attacker could exploit this vulnerability to run a container with elevated privileges.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/281108 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Cloud Pak for AIOps	4.1.0 - 4-4.0

Remediation/Fixes

IBM strongly suggests that you address the vulnerabilities now for all affected products/versions listed above by installing Fix:

<https://www.ibm.com/docs/en/cloud-paks/cloud-pak-aiops/4.4.1?topic=support-security-bulletins-fixes>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmwebsphere_automation_for_ibm_cloud_pak_for_watson_aiopsMatch4.4.1

VendorProductVersionCPE
ibmwebsphere_automation_for_ibm_cloud_pak_for_watson_aiops4.4.1cpe:2.3:a:ibm:websphere_automation_for_ibm_cloud_pak_for_watson_aiops:4.4.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	websphere_automation_for_ibm_cloud_pak_for_watson_aiops	4.4.1	cpe:2.3:a:ibm:websphere_automation_for_ibm_cloud_pak_for_watson_aiops:4.4.1:::::::*