Security Bulletin: Due to the use of OpenTelemetry gRPC, IBM CICS TX Standard is vulnerable to an Denial of Service vulnerability (CVE-2023-47108).
Discription

Summary There is a vulnerability in OpenTelemetry gRPC package which is shipped as part of IBM CICS TX Standard. An update to IBM CICS TX Standard has been released to address the vulnerability. Vulnerability Details ** CVEID: CVE-2023-47108 DESCRIPTION: **OpenTelemetry OpenTelemetry-Go Contrib is vulnerable to a denial of service, caused by an unbound cardinality metrics flaw in otelgrpc when the grpc Unary Server Interceptor out of the box adds labels net.peer.sock.addr and net.peer.sock.port. By sending a specially crafted request, a remote attacker could exploit this vulnerability to consume all available resources. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/272509 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions Affected Product(s)| Version(s) —|— IBM CICS TX Standard| 11.1 Remediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading IBM CICS TX Standard. Product| Version| Platform| Remediation/Fix —|—|—|— IBM CICS TX Standard| 11.1 | Linux| Download the upgrade from Fix Central Workarounds and Mitigations…Read More

Back to Main

Subscribe for the latest news: