Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to denial of service due to hbase-client

Summary hbase-client is used by the ds-cas-lite microservice as part of the HBase API functionality. Vulnerability Details CVEID:CVE-2023-52428 DESCRIPTION: Connect2id Nimbus-JOSE-JWT is vulnerable to a denial of service, caused by improper validation of user requests by the PasswordBasedDecrypter (PBKDF2) component. By sending a specially crafted request using a large JWE p2c header, a remote attacker could exploit this vulnerability to cause a denial of service. CWE:CWE-770: Allocation of Resources Without Limits or Throttling CVSS Source: IBM X-Force CVSS Base score: 7.5 CVSS Vector:(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions Affected Product(s)| Version(s) —|— DataStage on Cloud Pak for Data| 4.8.5 – 4.8.8 Remediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading to DataStage on Cloud Pak for Data version 5.0.0 and subsequent releases. Here is the detailed information onUpgrading IBM Cloud Pak for Data. Product(s)| Version(s) number and/or range| Remediation/Fix/Instructions —|—|— DataStage on Cloud Pak for Data| 4.8.5-4.8.8| Upgrade to Cloud Pak for Data 5.0.0 Workarounds and Mitigations…Read More