Multiple vulnerabilities in IBM QRadar Network Packet Capture
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2022-29154 CVE-2022-38177 CVE-2022-40674 CVE-2022-2526 |
| CWE-ID | CWE-22 CWE-401 CWE-416 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
IBM QRadar Network Packet Capture Web applications / Other software |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Path traversal
EUVDB-ID: #VU66189
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-29154
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote server to perform directory traversal attacks.
The vulnerability exists due to input validation error within the rsync client when processing file names. A remote malicious server overwrite arbitrary files in the rsync client target directory and subdirectories on the connected peer.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM QRadar Network Packet Capture: before 7.4.3 Fix Pack 6
CPE2.3 External linkshttps://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-packet-capture-includes-components-with-multiple-known-vulnerabilities/
https://www.ibm.com/support/pages/node/6838295
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory leak
EUVDB-ID: #VU67549
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-38177
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak in the DNSSEC verification code for the ECDSA algorithm. A remote attacker can spoof the target resolver with responses that have a malformed ECDSA signature and perform denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM QRadar Network Packet Capture: before 7.4.3 Fix Pack 6
CPE2.3 External linkshttps://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-packet-capture-includes-components-with-multiple-known-vulnerabilities/
https://www.ibm.com/support/pages/node/6838295
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use-after-free
EUVDB-ID: #VU67532
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-40674
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in the doContent() function in xmlparse.c. A remote attacker can pass specially crafted input to the application that is using the affected library, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM QRadar Network Packet Capture: before 7.4.3 Fix Pack 6
CPE2.3 External linkshttps://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-packet-capture-includes-components-with-multiple-known-vulnerabilities/
https://www.ibm.com/support/pages/node/6838295
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Use-after-free
EUVDB-ID: #VU66757
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-2526
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error within the on_stream_io() and dns_stream_complete() functions in resolved-dns-stream.c, which do not increment the reference counting for the DnsStream object. A remote attacker can send to the system specially crafted DNS responses, trigger a use-after-free error and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsIBM QRadar Network Packet Capture: before 7.4.3 Fix Pack 6
CPE2.3 External linkshttps://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-packet-capture-includes-components-with-multiple-known-vulnerabilities/
https://www.ibm.com/support/pages/node/6838295
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
