Main Vulnerability Database SB2023113029

SB2023113029 - IBM Watson Discovery Cartridge for IBM Cloud Pak for Data update for Apache ZooKeeper

Published: November 30, 2023

Security Bulletin ID SB2023113029

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Authorization bypass through user-controlled key (CVE-ID: CVE-2023-44981)

The vulnerability allows a remote attacker to bypass authorization process.

The vulnerability exists due to improper implementation of SASL Quorum Peer authentication. The instance part in SASL authentication ID, which is listed in zoo.cfg server list, is optional and if it's missing, the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree.

Remediation

Install update from vendor's website.

References

https://www.ibm.com/support/pages/node/7080024