SB2019051117 - Multiple vulnerabilities in IBM Cloud Transformation Advisor

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019051117

SB2019051117 - Multiple vulnerabilities in IBM Cloud Transformation Advisor

Published: May 11, 2019 Updated: June 15, 2023

Security Bulletin ID SB2019051117
Severity
High
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 29% Low 71%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Insecure DLL loading (CVE-ID: CVE-2018-1890)

The vulnerability allows a local user to elevate privilege on the system.

The vulnerability exists due to IBM SDK, Java Technology Edition Version 8 on the AIX platform uses absolute RPATHs. A local user can trigger the vulnerability to facilitate code injection and elevate privilege on the system.


2) Input validation error (CVE-ID: CVE-2018-12549)

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to the OpenJ9 JIT compiler may incorrectly omit a null check on the receiver object of an Unsafe call when accelerating it. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the system.


3) Buffer overflow (CVE-ID: CVE-2018-12547)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.


4) Information disclosure (CVE-ID: CVE-2019-2422)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists due to unspecified flaw in Libraries component. A remote attacker can gain access to sensitive information on the system.

5) Denial of service (CVE-ID: CVE-2019-2449)

The vulnerability allows a remote attacker to cause DoS condition.

The weakness exists due to unspecified flaw in Deployment component. A remote attacker cause the service to crash.

6) Information disclosure (CVE-ID: CVE-2019-2426)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists due to unspecified flaw in Networking component. A remote attacker read arbitrary data.

7) Division by zero (CVE-ID: CVE-2018-11212)

The vulnerability allows a remote attacker to cause DoS condition.

The weakness exists due to division by zero error within the libjpeg library within the libjpeg-turbo in alloc_sarray() function of jmemmgr.c file. A remote attacker can pass a specially crafted file the to affected application and cause application to crash.

Remediation

Install update from vendor's website.

References