IBMBF731935565FBC428BDCBFC95D3071B4992F5744B65B8A63A71BAE92354C086BSecurity Bulletin: Multiple Vulnerabilities in base image packages affect IBM Voice Gateway
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
0.006 Low
EPSS
Percentile
77.9%
Summary
Security Vulnerabilities in base image packages affect IBM Voice Gateway.
Vulnerability Details
CVEID:CVE-2020-10735
**DESCRIPTION:**Python is vulnerable to a denial of service, caused by the failure to limit amount of digits converting text to int by the int() type in PyLong_FromString(). A remote attacker could exploit this vulnerability to consume all available resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235840 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-40674
**DESCRIPTION:**libexpat could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in the doContent function in xmlparse.c. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236116 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-38178
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by a memory leak in the DNSSEC verification code for the EdDSA algorithm. By spoofing the target resolver with responses that have a malformed EdDSA signature, a remote attacker could exploit this vulnerability to cause named to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236706 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-3080
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by an error when stale cache and stale answers are enabled, option stale-answer-client-timeout is set to 0 and there is a stale CNAME in the cache for an incoming query. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause named to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236704 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-38177
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by a small memory leak in the DNSSEC verification code for the ECDSA algorithm. By spoofing the target resolver with responses that have a malformed ECDSA signature, a remote attacker could exploit this vulnerability to cause named to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236705 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-2795
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by a flaw in resolver code. By flooding the target resolver with queries, a remote attacker could exploit this vulnerability to severely degrade the resolver’s performance, effectively denying legitimate clients access to the DNS resolution service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236701 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2022-0391
**DESCRIPTION:**Python could provide weaker than expected security, cause by a improper input validation by the urllib.parse module. By sending a specially-crafted request using \r and \n characters in the URL path. An attacker could exploit this vulnerability to perform injection attack or launch further attacks on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219613 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| Voice Gateway | 1.0.7.1 |
| Voice Gateway | 1.0.2 |
| Voice Gateway | 1.0.8 |
| Voice Gateway | 1.0.5 |
| Voice Gateway | 1.0.3 |
| Voice Gateway | 1.0.7 |
| Voice Gateway | 1.0.6 |
| Voice Gateway | 1.0.2.4 |
| Voice Gateway | 1.0.4 |
Remediation/Fixes
IBM strongly suggests upgrading to the following IBM Voice Gateway 1.0.8.x images:
ibmcom/voice-gateway-mr:1.0.8.4
ibmcom/voice-gateway-so:1.0.8.4
The above images can be found at the below links:
<https://hub.docker.com/r/ibmcom/voice-gateway-mr/tags>
<https://hub.docker.com/r/ibmcom/voice-gateway-so/tags>
Workarounds and Mitigations
None
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm voice gateway | eq | any |
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
0.006 Low
EPSS
Percentile
77.9%