SB2022101425 - Improper authorization in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data
Published: October 14, 2022
Security Bulletin ID
SB2022101425
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Adjecent network
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper Authorization (CVE-ID: CVE-2022-26691)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to an error in implementation of "Local" authorization mechanism. A remote attacker can authenticate as to CUPS as root/admin without the 32-byte secret key and execute arbitrary code on the system.
Remediation
Install update from vendor's website.
References
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-services-cartridge-for-ibm-cloud-pak-for-data-is-vulnerable-to-elevated-privileges-in-apple-macos-monterey-and-macos-big-sur-cve-2022-26691/"
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-services-cartridge-for-ibm-cloud-pak-for-data-is-vulnerable-to-elevated-privileges-in-apple-macos-monterey-and-macos-big-sur-cve-2022-26691/</a><br>
- https://www.ibm.com/support/pages/node/6829141<br><br></p>