IBM Support

Security Bulletin: IBM Planning Analytics Cartridge for IBM Cloud Pak for Data is affected but not considered vulnerable to CVE-2023-45288

Security Bulletin


Summary

IBM Planning Analytics Cartridge for IBM Cloud Pak for Data is affected but not considered vulnerable, based on current information, to CVE-2023-45288 in Golang Go used by the IBM Planning Analytics Engine. This has been resolved by upgrading Golang Go to a non-vulnerable version. This Security Bulletin relates only to the direct usage of third-party components by IBM Planning Analytics Cartridge on Cloud Pak and not any nested dependencies within the product.

Vulnerability Details

CVEID:   CVE-2023-45288
DESCRIPTION:   An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
CWE:   CWE-202: Exposure of Sensitive Information Through Data Queries
CVSS Source:   CISA ADP
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)Version(s)
IBM Planning Analytics Cartridge for IBM Cloud Pak for Data5.0.0
IBM Planning Analytics Cartridge for IBM Cloud Pak for Data4.8.0
IBM Planning Analytics Cartridge for IBM Cloud Pak for Data4.7.0

Remediation/Fixes

It is strongly recommended that you apply the most recent security update:

Affected Product(s)Version(s)Fix
IBM Planning Analytics Cartridge for IBM Cloud Pak for Data5.0.0

Upgrading IBM Planning Analytics from Version 5.0.x to a later 5.0 refresh

IBM Planning Analytics Cartridge for IBM Cloud Pak for Data4.8.0

Upgrading IBM Planning Analytics from Version 4.8 to Version 5.0

IBM Planning Analytics Cartridge for IBM Cloud Pak for Data4.7.0

Upgrading IBM Planning Analytics from Version 4.7 to Version 5.0


IBM Cloud Pak for Data 5.0.1 includes IBM Planning Analytics Workspace Version 2.0.97 which has addressed multiple vulnerabilities in Open Source Software (OSS) components.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

What's new in IBM Cloud Pak for Data (Version 5.0.1)

Security Bulletin:  IBM Planning Analytics is affected by vulnerabilities in IBM Java and IBM Websphere Application Server Liberty 
Security Bulletin: IBM Planning Analytics Workspace is affected by vulnerabilities in multiple Open-Source Software (OSS) components
Security Bulletin: IBM Planning Analytics Workspace is affected by vulnerabilities in multiple Open Source Software (OSS) components
Security Bulletin: IBM Planning Analytics Local - Planning Analytics Workspace is affected by vulnerabilities in multiple Open Source Software (OSS) components
Security Bulletin: IBM Planning Analytics Workspace is affected by vulnerabilities in multiple Open Source Software (OSS) components

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

These definitions can be found on the following IBM PSIRT News page: https://www.ibm.com/support/pages/node/6610583

Affected: The software product contains code, which has a documented vulnerability. Based on currently available information, however, we believe that the issue is likely not exploitable. However, as a best practice and from an abundance of caution, we recommend customers update their systems as soon as practical. Vulnerabilities evolve, and a means of exploiting any issue may emerge at any time.

Vulnerable: The software product contains code, which has a documented vulnerability. Our analysis shows that the issue may be exploitable.

Affected/Vulnerable Products and Versions: As used in IBM Security Bulletins, this category is intended to be only products and versions that are supported by IBM, and have not passed their end-of-support or warranty date. Thus, not including a reference in a Security Bulletin to unsupported or extended-support products or versions does not indicate a determination by IBM that they are unaffected by the vulnerability. Additionally, including a reference to one or more unsupported versions in a Security Bulletin (including reference to "All" versions) does not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

 

Acknowledgement

Change History

03 Feb 2025: CVE details updated
01 Aug 2024: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCTEW","label":"IBM Planning Analytics Local"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"2.0","Edition":"All","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSDVGH","label":"IBM Planning Analytics Cartridge for IBM Cloud Pak for Data"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"4.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
03 February 2025

Initial Publish date:
01 August 2024

UID

ibm17161688

Page Feedback