Security Bulletin: IBM Instana Observability is affected by multiple vulnerabilities within Instana Agent container image

Summary

Multiple vulnerabilities were remediated in IBM Observability with Instana within Instana Agent container image build 279.

Vulnerability Details

CVEID:CVE-2024-24790
**DESCRIPTION:**An unspecified error related to various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses in the net/netip package in Golang Go has an unknown impact and attack vector.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292953 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2024-5321
**DESCRIPTION:**Kubernetes kubelet could allow a local authenticated attacker to bypass security restrictions, caused by incorrect permissions on Windows containers logs. By sending a specially crafted request, an attacker could exploit this vulnerability to read and modify container logs.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298140 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N)

CVEID:CVE-2019-1002100
**DESCRIPTION:**The Kubernetes API server is vulnerable to a denial of service. By sending a specially crafted patch of type “json-patch” requests, a remote authenticated attacker could exploit this vulnerability to consume an excessive amount of resources.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/157685 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-47108
**DESCRIPTION:**OpenTelemetry OpenTelemetry-Go Contrib is vulnerable to a denial of service, caused by an unbound cardinality metrics flaw in otelgrpc when the grpc Unary Server Interceptor out of the box adds labels net.peer.sock.addr and net.peer.sock.port. By sending a specially crafted request, a remote attacker could exploit this vulnerability to consume all available resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/272509 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-32473
**DESCRIPTION:**Moby could allow a local attacker to obtain sensitive information, caused by a flaw with IPv6 is enabled on IPv4-only network interfaces. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/289333 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H)

CVEID:CVE-2023-45288
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a memory exhaustion flaw due to flood of CONTINUATION frames in the HTTP/2 protocol stack in the net/http and x/net/http2 packages. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286962 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-24788
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a high cpu usage in extractExtendedRCode function in the net module. By sending a specially crafted DNS message in response to a query, a remote attacker could exploit this vulnerability to cause an infinite loop.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/290108 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2020-8554
**DESCRIPTION:**Kubernetes could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when using LoadBalancer or ExternalIPs. By using man-in-the-middle attack techniques, an attacker could exploit this vulnerability to patch the status of a LoadBalancer service.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192721 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2020-8561
**DESCRIPTION:**Kubernetes could allow a remote authenticated attacker to obtain sensitive information, caused by a webhook redirect flaw in the kube-apiserver. By gaining access to the kube-apiserver log files, an attacker could exploit this vulnerability to view the redirected responses and headers information, and use this information to launch further attacks against the affected system.
CVSS Base score: 2.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209532 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2023-45289
**DESCRIPTION:**Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw when following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive headers information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285338 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2023-45290
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw when parsing a multipart form in the net/textproto package. By sending a specially crafted input, a remote attacker could exploit this vulnerability to allocate arbitrarily large amounts of memory, and results in a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285339 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2024-24783
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw in the crypto/x509 package when verifying a certificate chain. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause Certificate.Verify to panic, and results in a denial of service condition.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285303 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-24784
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw in the crypto/x509 package when verifying a certificate chain. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause Certificate.Verify to panic, and results in a denial of service condition.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285304 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2024-24785
**DESCRIPTION:**Golang Go could allow a remote attacker to bypass security restrictions, caused by a flaw in the MarshalJSON methods in the html/template package. By sending a specially crafted request, an attacker could exploit this vulnerability to inject unexpected content into templates.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285305 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:CVE-2024-24789
**DESCRIPTION:**Golang Go could allow a local attacker to bypass security restrictions, caused by a flaw with EOCDR comment length handling is inconsistent with other ZIP implementations in the archive/zip package. By sending a specially crafted request, an attacker could exploit this vulnerability to create an zip file with contents that vary depending on the implementation reading the file.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/292952 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2024-24791
**DESCRIPTION:**Go net/http package is vulnerable to a denial of service, caused by improper 100-continue header handling. By sending “Expect: 100-continue” requests, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298554 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing these vulnerabilities now by updating IBM Observability with Instana to the latest release as described here:

<https://www.ibm.com/docs/en/instana-observability/current&gt;

Workarounds and Mitigations

None