IBMD3D3899A8B2A0C54488525B674CF7B4E75E80F2560DCAC8A40FE4A7667ABE925Security Bulletin: IBM Storage Ceph is vulnerable to an Infinite Loop in Grafana (CVE-2024-24786)
AI Score
Confidence
High
Summary
Protobuf is used by IBM Storage Ceph in Grafana as part of metrics. This bulletin identifies the steps to take to address the vulnerability in Grafana. CVE-2024-24786.
Vulnerability Details
CVEID:CVE-2024-24786
**DESCRIPTION:**Protocol Buffers protobuf-go is vulnerable to a denial of service, caused by an infinite loop flaw in the rotojson.Unmarshal function when unmarshaling certain forms of invalid JSON. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285337 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Storage Ceph | 7.0-7.0z2 |
| IBM Storage Ceph | 6.0 |
| IBM Storage Ceph | 5.3-5.3z4 |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now.
Download the latest version of IBM Storage Ceph and upgrade to 7.1 by following instructions.
<https://public.dhe.ibm.com/ibmdl/export/pub/storage/ceph/>
<https://www.ibm.com/docs/en/storage-ceph/7?topic=upgrading>
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | storage_ceph | 7.0 | cpe:2.3:a:ibm:storage_ceph:7.0:*:*:*:*:*:*:* |
| ibm | storage_ceph | 2 | cpe:2.3:a:ibm:storage_ceph:2:*:*:*:*:*:*:* |
| ibm | storage_ceph | 6.0 | cpe:2.3:a:ibm:storage_ceph:6.0:*:*:*:*:*:*:* |
| ibm | storage_ceph | 5.3 | cpe:2.3:a:ibm:storage_ceph:5.3:*:*:*:*:*:*:* |
| ibm | storage_ceph | 4 | cpe:2.3:a:ibm:storage_ceph:4:*:*:*:*:*:*:* |
Related
AI Score
Confidence
High