9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.7 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
48.6%
Yq is used by IBM Cloud Pak for Data Scheduling as part of the Ansible operator used for installation of the Scheduler. This bulletin identifies the steps to take to address the below vulnerabilities.
CVEID:CVE-2023-39320
**DESCRIPTION:**Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the go.mod toolchain directive. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265873 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2023-39321
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw when processing partial post-handshake message in QUICConn.HandleData in the crypto/tls package. By sending a specially crafted post-handshake message for a QUIC connection, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265858 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-39322
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw when reading post-handshake messages. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause unbounded memory growth, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265863 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products/Versions guidance:
Affected Product(s)|**Version(s)
**
—|—
IBM Cloud Pak for Data Scheduling| 4.6.4 - 4.7.4
Remediation/Fixes guidance:
IBM strongly recommends addressing the vulnerability now.
Product(s) | **Version(s) number and/or range ** | Remediation/Fix/Instructions |
---|---|---|
IBM Cloud Pak for Data Scheduling | 4.6.4 - 4.7.4 | Download v4.8 and follow instructions |
Note: IBM Cloud Pak for Data Scheduling is bundled with IBM Cloud Pak for Data to provide advanced scheduling features.
Workarounds/Mitigation guidance:
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm cloud pak for data | eq | 4.8.0 |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.7 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
48.6%