SB2022090507 - Denial of service in IBM Cloud Automation Manager
Published: September 5, 2022
Security Bulletin ID
SB2022090507
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper Certificate Validation (CVE-ID: CVE-2021-34558)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper certificate verification in crypto/tls package in Go when processing X.509 certificates. The application does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.
Remediation
Install update from vendor's website.
References
- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-golang-go-affects-ibm-cloud-automation-manager/"
- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-golang-go-affects-ibm-cloud-automation-manager/</a><br>
- https://www.ibm.com/support/pages/node/6489851<br><br></p>