Multiple vulnerabilities in IBM QRadar SIEM
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2022-23816 CVE-2022-23825 CVE-2022-2588 CVE-2022-26373 CVE-2022-29900 CVE-2022-29901 CVE-2022-42898 |
| CWE-ID | CWE-843 CWE-415 CWE-264 CWE-1037 CWE-190 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #3 is being exploited in the wild. |
| Vulnerable software Subscribe |
IBM Qradar SIEM Client/Desktop applications / Other client software |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Type Confusion
EUVDB-ID: #VU65219
Risk: Low
CVSSv3.1: 2.2 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-23816
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to a branch type confusion. A local user can force the branch predictor to predict the wrong branch type and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Qradar SIEM: 7.4 - 7.5.0 Update Package 3 Interim Fix 02
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_qradar_siem:7.4.3:Fix Pack 8:*:*:*:*:*:
- cpe:2.3:a:ibm_corporation:ibm_qradar_siem:7.5.0:Update Package 3 Interim Fix 02:*:*:*:*:*:
http://www.ibm.com/support/pages/node/6967016
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Type Confusion
EUVDB-ID: #VU65204
Risk: Low
CVSSv3.1: 2.2 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-23825
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to a branch type confusion. A local user can force the branch predictor to predict the wrong branch type and gain access to sensitive information.
Install update from vendor's website.
Vulnerable software versionsIBM Qradar SIEM: 7.4 - 7.5.0 Update Package 3 Interim Fix 02
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_qradar_siem:7.4.3:Fix Pack 8:*:*:*:*:*:
- cpe:2.3:a:ibm_corporation:ibm_qradar_siem:7.5.0:Update Package 3 Interim Fix 02:*:*:*:*:*:
http://www.ibm.com/support/pages/node/6967016
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Double Free
EUVDB-ID: #VU66397
Risk: Low
CVSSv3.1: 7.5 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2022-2588
CWE-ID:
CWE-415 - Double Free
Exploit availability: Yes
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The
vulnerability exists due to a double free error within the network packet scheduler implementation
in the route4_change() function in Linux kernel when removing all references to a route filter
before freeing it. A local user can run a specially crafted program to
crash the kernel or execute arbitrary code.
Install update from vendor's website.
Vulnerable software versionsIBM Qradar SIEM: 7.4 - 7.5.0 Update Package 3 Interim Fix 02
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_qradar_siem:7.4.3:Fix Pack 8:*:*:*:*:*:
- cpe:2.3:a:ibm_corporation:ibm_qradar_siem:7.5.0:Update Package 3 Interim Fix 02:*:*:*:*:*:
http://www.ibm.com/support/pages/node/6967016
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
4) Security restrictions bypass
EUVDB-ID: #VU66549
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-26373
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to non-transparent sharing of return predictor targets between contexts in Intel CPU processors. A local user can bypass the expected architecture isolation between contexts and gain access to sensitive information on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Qradar SIEM: 7.4 - 7.5.0 Update Package 3 Interim Fix 02
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_qradar_siem:7.4.3:Fix Pack 8:*:*:*:*:*:
- cpe:2.3:a:ibm_corporation:ibm_qradar_siem:7.5.0:Update Package 3 Interim Fix 02:*:*:*:*:*:
http://www.ibm.com/support/pages/node/6967016
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Processor optimization removal or modification of security-critical code
EUVDB-ID: #VU65205
Risk: Low
CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-29900
CWE-ID:
CWE-1037 - Processor optimization removal or modification of security-critical code
Exploit availability: No
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a mistrained branch predictions for return instructions. A local user can execute arbitrary speculative code under certain microarchitecture-dependent conditions. The vulnerability was dubbed RETbleed.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Qradar SIEM: 7.4 - 7.5.0 Update Package 3 Interim Fix 02
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_qradar_siem:7.4.3:Fix Pack 8:*:*:*:*:*:
- cpe:2.3:a:ibm_corporation:ibm_qradar_siem:7.5.0:Update Package 3 Interim Fix 02:*:*:*:*:*:
http://www.ibm.com/support/pages/node/6967016
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Processor optimization removal or modification of security-critical code
EUVDB-ID: #VU65220
Risk: Low
CVSSv3.1: 4.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-29901
CWE-ID:
CWE-1037 - Processor optimization removal or modification of security-critical code
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to the way non-transparent sharing of branch predictor targets between contexts. A local user can exploit the vulnerability to gain access to sensitive information.
Install update from vendor's website.
Vulnerable software versionsIBM Qradar SIEM: 7.4 - 7.5.0 Update Package 3 Interim Fix 02
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_qradar_siem:7.4.3:Fix Pack 8:*:*:*:*:*:
- cpe:2.3:a:ibm_corporation:ibm_qradar_siem:7.5.0:Update Package 3 Interim Fix 02:*:*:*:*:*:
http://www.ibm.com/support/pages/node/6967016
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Integer overflow
EUVDB-ID: #VU69337
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42898
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to an integer overflow within the S4U2Proxy handler on 32-bit systems. A remote user can send specially crafted request to the KDC server, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Qradar SIEM: 7.4 - 7.5.0 Update Package 3 Interim Fix 02
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_qradar_siem:7.4.3:Fix Pack 8:*:*:*:*:*:
- cpe:2.3:a:ibm_corporation:ibm_qradar_siem:7.5.0:Update Package 3 Interim Fix 02:*:*:*:*:*:
http://www.ibm.com/support/pages/node/6967016
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
