SB2024082737 - Multiple vulnerabilities in IBM Cloud Pak System
Published: August 27, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-4607)
The vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to improperly imposed security restrictions. A local authenticated Lenovo XClarity Controller (XCC) user can change permissions for any user through a crafted API command.2) Format string error (CVE-ID: CVE-2023-25492)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a format string error within the XCC web interface. A remote user can send a specially crafted HTTP request to the API and perform a denial of service (DoS) attack.
3) Information disclosure (CVE-ID: CVE-2023-25495)
The vulnerability allows a remote administrator to gain access to sensitive information.
The vulnerability exists due to API exposes LDAP configuration, including the configured LDAP client password used by XCC to authenticate to an external LDAP server. A remote privileged user can gain access to sensitive information.
4) Improper access control (CVE-ID: CVE-2023-0683)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions within the API. A remote user can send a specially crafted request to the API and gain unauthorized access to the application.
Remediation
Install update from vendor's website.