CVE-2023-27290
Published: 03 March 2023
Summary
CVE-2023-27290 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Ibm Observability With Instana. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 7.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-27290 is a missing authentication vulnerability affecting Docker-based datastores in IBM Observability with Instana versions 239-0 through 239-2, 241-0 through 241-2, and 243-0. The affected component fails to enforce any authentication requirement on these datastores, which are exposed in a manner consistent with the reported CVSS vector of AV:N/AC:L/PR:N/UI:N/S:U and map to CWE-306.
An attacker positioned within the network can connect directly to the datastores and obtain read/write access without credentials or user interaction, enabling unauthorized data retrieval or modification.
IBM has published remediation guidance at https://www.ibm.com/support/pages/node/6959969 along with an X-Force entry at https://exchange.xforce.ibmcloud.com/vulnerabilities/248737; public exploit references also appear on Packet Storm.
EPSS for the CVE rose from lower values to a peak of 0.1738 before receding to the current 0.0850, indicating a period of increased exploitation interest well after the 2023 disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-31068
Vulnerability details
Docker based datastores for IBM Instana (IBM Observability with Instana 239-0 through 239-2, 241-0 through 241-2, and 243-0) do not currently require authentication. Due to this, an attacker within the network could access the datastores with read/write access. IBM X-Force…
more
ID: 248737.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.
Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.
Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.
Guarantees critical functions are protected by mandatory invocation of the access control mechanism.
Auditing sessions makes it possible to detect access to critical functions without required authentication.
The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication.
Certification assesses that critical functions have required authentication controls in place.
Disabling non-essential functions and services eliminates the need to secure them, reducing exposure from missing authentication on unnecessary components.