CVE-2023-43040

Name of the Vulnerable Software and Affected Versions IBM Spectrum Fusion HCI versions 2.5.2 through 2.7.2

Description The issue is related to improper bucket access in the RGW service of the Ceph data storage system. It allows an attacker to perform unauthorized actions by exploiting the lack of access restrictions when handling bucket keys. This can enable a remote attacker to bypass security limitations and upload arbitrary files.

Recommendations For IBM Spectrum Fusion HCI versions 2.5.2 through 2.7.2, consider restricting access to the RGW service until a patch is available. As a temporary workaround, limit the ability to write to buckets using the vulnerable RGWPostObj ObjStore S3::get params() function. Avoid using the vulnerable function to process form-data containing keys that could allow unauthorized access to buckets. At the moment, there is no information about a newer version that contains a fix for this vulnerability.