SB2023051543 - Multiple vulnerabilities in IBM Edge Application Manager

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023051543

SB2023051543 - Multiple vulnerabilities in IBM Edge Application Manager

Published: May 15, 2023

Security Bulletin ID SB2023051543
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Improper Privilege Management (CVE-ID: CVE-2022-36109)

The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to improper privilege management caused by improper setup of supplementary groups. A local user can bypass primary group restrictions and compromise the container.


2) Resource exhaustion (CVE-ID: CVE-2018-20699)

The vulnerability allows a remote attacker on the local network to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker on the local network can cause a denial of service (dockerd memory consumption) via a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemon_unix.go, pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go.


3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-24769)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to containers are incorrectly started with non-empty inheritable Linux process capabilities, which leads to security restrictions bypass and privilege escalation.


Remediation

Install update from vendor's website.

References