SB2023081005 - Multiple vulnerabilities in IBM Data Virtualization on Cloud Pak for Data 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023081005

SB2023081005 - Multiple vulnerabilities in IBM Data Virtualization on Cloud Pak for Data

Published: August 10, 2023

Security Bulletin ID SB2023081005
Severity
High
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 14% Medium 86%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Incorrect Regular Expression (CVE-ID: CVE-2022-31129)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of user-supplied input when parsing overly long strings. A remote attacker can pass a string that contains more that 10k characters and perform regular expression denial of service (ReDoS) attack.


2) Incorrect Regular Expression (CVE-ID: CVE-2022-3517)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


3) Inefficient regular expression complexity (CVE-ID: CVE-2022-37620)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


4) Incorrect regular expression (CVE-ID: CVE-2022-25758)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions in loadAnnotation() function. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


5) Inefficient regular expression complexity (CVE-ID: CVE-2022-25901)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions within the Cookie.parse function. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


6) Command Injection (CVE-ID: CVE-2021-42740)

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the regex designed to support Windows drive letters before passing it into the exec() call. A remote attacker can pass specially crafted payload to the application and execute arbitrary code on the system.


7) Incorrect Regular Expression (CVE-ID: CVE-2022-25858)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


Remediation

Install update from vendor's website.

References