SB2023022319 - Multiple vulnerabilities in IBM FlashSystem 840 and 900
Published: February 23, 2023
Security Bulletin ID
SB2023022319
Severity
Medium
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Use-after-free error (CVE-ID: CVE-2017-18017)
The vulnerability allows a remote attacker to cause DoS condition no the target system.The weakness exists in the tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel due to use-after-free error. A remote attacker can leverage the presence of xt_TCPMSS in an iptables action, trigger memory corruption and cause the system to crash.
2) Information disclosure (CVE-ID: CVE-2017-17449)
The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.The weakness exists due to the __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel, when CONFIG_NLMON is enabled, does not restrict observations of Netlink messages to a single net namespace. A local attacker can leverage the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system and read arbitrary files.
Remediation
Install update from vendor's website.