Multiple vulnerabilities in IBM Storage Fusion and IBM Storage Fusion HCI
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2022-25881 CVE-2023-2251 CVE-2023-29401 |
| CWE-ID | CWE-407 CWE-248 CWE-494 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
IBM Fusion HCI Server applications / Other server solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Inefficient Algorithmic Complexity
EUVDB-ID: #VU72750
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-25881
CWE-ID:
CWE-407 - Inefficient Algorithmic Complexity
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to regular expression denial of service that occurs when the server reads the cache policy from the request using this library. A remote unauthenticated attacker can send malicious request header values to the server and perform a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Fusion HCI: before 2.6.1
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7029669
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Uncaught Exception
EUVDB-ID: #VU76605
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-2251
CWE-ID:
CWE-248 - Uncaught Exception
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause a denial of service condition.
The vulnerability exists due uncaught exception in the parseDocument() and parseAllDocuments() functions. A remote unauthenticated attacker can send a specially crafted input and cause a denial of service condition.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Fusion HCI: before 2.6.1
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7029669
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Download of code without integrity check
EUVDB-ID: #VU80818
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-29401
CWE-ID:
CWE-494 - Download of Code Without Integrity Check
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to modify data on the system.
The vulnerability exists due to software does not perform software integrity check when downloading updates. A remote attacker with ability to perform man-in-the-middle (MitM) attack can supply a malicious software image and modify data on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Fusion HCI: before 2.6.1
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7029669
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
