Lucene search

IBM8D24E206329F82DDFA3BD018D1F09DC1AF25EDFDCC00E3F099AAE23BC803C82C

HistoryApr 26, 2023 - 4:24 p.m.

Security Bulletin: Docker based datastores for IBM Instana do not currently require authentication

2023-04-2616:24:11

www.ibm.com

docker based datastores

ibm instana

authentication

vulnerability

cve-2023-27290

datastores

read/write access

ibm observability

versions

remediation

ubuntu

package manager

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

41.6%

JSON

Summary

Docker based datastores for IBM Instana do not currently require authentication. Due to this, an attacker with network or system access to the datastores could interrogate the datastores with read/write privileges (CVE-2023-27290).

Vulnerability Details

CVEID:CVE-2023-27290
**DESCRIPTION:**Docker based datastores for IBM Instana do not currently require authentication. Due to this, an attacker within the network or on the system could access the datastores with read/write access.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248737 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Observability with Instana

239-0 to 239-4
241-0 to 241-5
243-0 to 243-6
245-0 to 245-2

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Upgrading your Instana console:
<https://www.ibm.com/docs/en/instana-observability/current?topic=premises-operations-docker-based-instana>
Use your appropriate package manager command to update to a desired package version of Instana console.

See the following example for Ubuntu:

To get the latest version, run the command as follows:

sudo apt-get install instana-console

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmobservability_with_instanaMatch239

ibmobservability_with_instanaMatch0

ibmobservability_with_instanaMatch239

ibmobservability_with_instanaMatch4

ibmobservability_with_instanaMatch241

ibmobservability_with_instanaMatch0

ibmobservability_with_instanaMatch241

ibmobservability_with_instanaMatch5

ibmobservability_with_instanaMatch243

ibmobservability_with_instanaMatch0

ibmobservability_with_instanaMatch243

ibmobservability_with_instanaMatch6

ibmobservability_with_instanaMatch245

ibmobservability_with_instanaMatch0

ibmobservability_with_instanaMatch245

ibmobservability_with_instanaMatch2

VendorProductVersionCPE
ibmobservability_with_instana239cpe:2.3:a:ibm:observability_with_instana:239:*:*:*:*:*:*:*
ibmobservability_with_instana0cpe:2.3:a:ibm:observability_with_instana:0:*:*:*:*:*:*:*
ibmobservability_with_instana4cpe:2.3:a:ibm:observability_with_instana:4:*:*:*:*:*:*:*
ibmobservability_with_instana241cpe:2.3:a:ibm:observability_with_instana:241:*:*:*:*:*:*:*
ibmobservability_with_instana5cpe:2.3:a:ibm:observability_with_instana:5:*:*:*:*:*:*:*
ibmobservability_with_instana243cpe:2.3:a:ibm:observability_with_instana:243:*:*:*:*:*:*:*
ibmobservability_with_instana6cpe:2.3:a:ibm:observability_with_instana:6:*:*:*:*:*:*:*
ibmobservability_with_instana245cpe:2.3:a:ibm:observability_with_instana:245:*:*:*:*:*:*:*
ibmobservability_with_instana2cpe:2.3:a:ibm:observability_with_instana:2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	observability_with_instana	239	cpe:2.3:a:ibm:observability_with_instana:239:::::::*
ibm	observability_with_instana	0	cpe:2.3:a:ibm:observability_with_instana:0:::::::*
ibm	observability_with_instana	4	cpe:2.3:a:ibm:observability_with_instana:4:::::::*
ibm	observability_with_instana	241	cpe:2.3:a:ibm:observability_with_instana:241:::::::*
ibm	observability_with_instana	5	cpe:2.3:a:ibm:observability_with_instana:5:::::::*
ibm	observability_with_instana	243	cpe:2.3:a:ibm:observability_with_instana:243:::::::*
ibm	observability_with_instana	6	cpe:2.3:a:ibm:observability_with_instana:6:::::::*
ibm	observability_with_instana	245	cpe:2.3:a:ibm:observability_with_instana:245:::::::*
ibm	observability_with_instana	2	cpe:2.3:a:ibm:observability_with_instana:2:::::::*