Security Bulletin: Security Vulnerabilities affect IBM Cloud Private Storage - GlusterFS and Minio

Vulnerability Details

CVEID: CVE-2018-14618
DESCRIPTION: cURL libcurl is vulnerable to a buffer overflow, caused by an integer overflow flaw in the Curl_ntlm_core_mk_nt_hash internal function in the NTLM authentication code. By sending an overly long password, a remote attacker could overflow a buffer and execute arbitrary code and cause the application to crash.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/149359 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-12384
DESCRIPTION: Mozilla Network Security Services (NSS), as used in Mozilla Firefox, could allow a remote attacker to obtain sensitive information, caused by the improper handling of an SSLv2-compatible ClientHello message. By conducting a passive replay attack, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 4.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/150436 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID: CVE-2018-12020
DESCRIPTION: GnuPG could allow a remote attacker to conduct spoofing attacks, caused by the improper handling of the original filename during decryption and verification actions in mainproc.c. An attacker could exploit this vulnerability to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the --status-fd 2 option.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144556 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)