IBMB215CC2162C439871F6CD47C6AB1D3CA9FDB9DF018C51103CB475E2C843DD2A6Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v4.8.5 is vulnerable to multiple Operator package issues
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
Summary
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v4.8.5 is vulnerable to multiple Operator package issues… We have performed updates to the Operators used by our Speech Services. The following vulnerabilities have been addressed in this update. Please read the details for remediation below.
Vulnerability Details
CVEID:CVE-2024-35326
**DESCRIPTION:**The YAML Project LibYAML is vulnerable to a buffer overflow, caused by improper bounds checking by the function yaml_emitter_emit of the file /src/libyaml/src/emitter.c. By sending a specially crafted request, a remote attacker could overflow a buffer, triggering a double-free vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/294972 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2024-35328
**DESCRIPTION:**The YAML Project LibYAML is vulnerable to a distributed denial of service, caused by an derror in the function yaml_parser_parse of the file /src/libyaml/src/parser.c. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/294971 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2024-39689
**DESCRIPTION:**Certifi python-certifi could provide weaker than expected security, caused by the use of GLOBALTRUST root certificate. An attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/297375 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID:CVE-2024-4032
**DESCRIPTION:**An unspecified error with ipaddress considers some not globally reachable addresses global and vice versa in Python CPython has an unknown impact and attack vector.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/294993 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data | 4.0.0 - 4.8.5 |
Remediation/Fixes
| Product(s) | Version(s) | Remediation/Fix/Instructions |
|---|---|---|
| IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data | 4.8.6 | The fix in 4.8.6 applies to all versions listed (4.0.0-4.8.5). Version 4.8.6 can be downloaded and installed from: <https://www.ibm.com/docs/en/cloud-paks/cp-data> |
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | watson_assistant_for_ibm_cloud_pak_for_data | 4.0.0 | cpe:2.3:a:ibm:watson_assistant_for_ibm_cloud_pak_for_data:4.0.0:*:*:*:*:*:*:* |
| ibm | watson_assistant_for_ibm_cloud_pak_for_data | 4.8.5 | cpe:2.3:a:ibm:watson_assistant_for_ibm_cloud_pak_for_data:4.8.5:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low