SB2022081818 - Information disclosure in IBM Connect:Direct Web Service
Published: August 18, 2022
Security Bulletin ID
SB2022081818
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Memory leak (CVE-ID: CVE-2021-32028)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due memory leak within the INSERT ... ON CONFLICT ... DO UPDATE command implementation. A remote authenticated database user can execute the affected command to read arbitrary bytes of server memory. In the default
configuration, any authenticated database user can create prerequisite objects
and complete this attack at will.
Remediation
Install update from vendor's website.
References
- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerability-affects-ibm-connectdirect-web-service-cve-2021-32028/"
- https://www.ibm.com/blogs/psirt/security-bulletin-postgresql-vulnerability-affects-ibm-connectdirect-web-service-cve-2021-32028/</a><br><a
- https://www.ibm.com/support/pages/node/6507401"
- https://www.ibm.com/support/pages/node/6507401</a><br><br><br></p>