SB2023092025 - Multiple vulnerabilities in Netcool Operations Insight
Published: September 20, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 56 secuirty vulnerabilities.
1) Improper Authentication (CVE-ID: CVE-2022-22576)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error when re-using OAUTH2 connections for SASL-enabled protocols, such as SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). libcurl may reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. As a result, a connection that is successfully created and authenticated with a user name + OAUTH2 bearer can subsequently be erroneously reused even for user + [other OAUTH2 bearer], even though that might not even be a valid bearer.
A remote attacker can exploit this vulnerability against applications intended for use in multi-user environments to bypass authentication and gain unauthorized access to victim's accounts.
2) Deserialization of Untrusted Data (CVE-ID: CVE-2020-9493)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Cross-site scripting (CVE-ID: CVE-2015-8861)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Prototype pollution (CVE-ID: CVE-2019-19919)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.
5) Cross-site scripting (CVE-ID: CVE-2019-20920)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
6) Infinite loop (CVE-ID: CVE-2019-20922)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when processing specially-crafted templates. A remote attacker can consume all available system resources and cause denial of service conditions.
7) Code Injection (CVE-ID: CVE-2021-23369)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
8) Prototype Pollution (CVE-ID: CVE-2021-23383)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when selecting certain compiling options to compile templates. A remote attacker can execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
9) Security restrictions bypass (CVE-ID: CVE-2018-1320)
The vulnerability allows a remote attacker to gain access to bypass security restrictions.
The vulnerability exists due to unspecified flaw. A remote attacker can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
10) Infinite loop (CVE-ID: CVE-2019-0205)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when processing user-supplied input. A remote attacker can pass malicious input to the application and consume all available system resources or cause denial of service conditions.
11) Information disclosure (CVE-ID: CVE-2021-28168)
The vulnerability allows a local attacker to gain access to potentially sensitive information.
The vulnerability exists due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. A local attacker can gain unauthorized access to sensitive information on the system.
12) Resource exhaustion (CVE-ID: CVE-2021-44906)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
13) Information disclosure (CVE-ID: CVE-2022-27774)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to curl attempts to follow redirects during authentication process and does not consider different port numbers or protocols to be separate authentication targets. If the web application performs redirection to a different port number of protocol, cURL will allow such redirection and will pass credentials. It could also leak the TLS SRP credentials this way.
By default, curl only allows redirects to HTTP(S) and FTP(S), but can be asked to allow redirects to all protocols curl supports.
14) Deserialization of Untrusted Data (CVE-ID: CVE-2022-36944)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data during Java object deserialization. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
15) Information disclosure (CVE-ID: CVE-2022-27776)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to curl can leak authentication or cookie header data during HTTP redirects to the same host but another port number. When asked to send custom headers or cookies in its HTTP requests, curl sends that set of headers only to the host which name is used in the initial URL, so that redirects to other hosts will make curl send the data to those. However, due to a flawed check, curl wrongly also sends that same set of headers to the hosts that are identical to the first one but use a different port number or URL scheme.
The vulnerability exists due to an incomplete fix for #VU10224 (CVE-2018-1000007).
16) Incorrect Implementation of Authentication Algorithm (CVE-ID: CVE-2022-27782)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the way libcurl handles previously used connections in a connection pool for subsequent transfers. Several TLS and SSH settings were left out from the configuration match checks, resulting in erroneous matches for different resources. As a result, libcurl can send authentication string from one resource to another, exposing credentials to a third-party.
17) Resource exhaustion (CVE-ID: CVE-2022-32206)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insecure processing of compressed HTTP responses. A malicious server can send a specially crafted HTTP response to curl and perform a denial of service attack by forcing curl to spend enormous amounts of allocated heap memory, or trying to and returning out of memory errors.
18) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2022-32208)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to improper handling of message verification failures when performing FTP transfers secured by krb5. A remote attacker can perform MitM attack and manipulate data.
19) Deserialization of Untrusted Data (CVE-ID: CVE-2019-17571)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data within the SocketServer class in Log4j. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system, if these is a deserialization gadget listening to untrusted network traffic for log data.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
20) SQL injection (CVE-ID: CVE-2022-23305)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the JDBCAppender. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Note, a non-default configuration with enabled JDBCAppender is required to exploit the vulnerability.
21) Deserialization of Untrusted Data (CVE-ID: CVE-2022-23302)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data in JMSSink. A remote attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests and execute arbitrary code on the target system.
Note, a non-default configuration with support for JMSSink is required to exploit this vulnerability.
22) Deserialization of Untrusted Data (CVE-ID: CVE-2021-4104)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data in JMSAppender, when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution.
Note this issue only affects Log4j 1.2 when specifically configured to
use JMSAppender, which is not the default.
23) Improper Validation of Array Index (CVE-ID: CVE-2021-3121)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper validation of index array in plugin/unmarshal/unmarshal.go. A remote attacker can pass specially crafted data to the application and bypass implemented security restrictions, possibly leading to remote code execution.
24) Resource exhaustion (CVE-ID: CVE-2020-35380)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can send a specially crafted JSON and perform a denial of service (DoS) attack.
25) Incorrect Regular Expression (CVE-ID: CVE-2021-42836)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
26) Incorrect Regular Expression (CVE-ID: CVE-2021-42248)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted JSON input to the application and perform regular expression denial of service (ReDos) attack.
27) Code Injection (CVE-ID: CVE-2021-44832)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote user with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.
28) Improper Certificate Validation (CVE-ID: CVE-2020-9488)
The vulnerability allows a remote attacker to perform man-in-the-middle attack.
The vulnerability exists due to the Apache Log4j SMTP appender does not validate SSL certificates. A remote attacker can perform a MitM attack, intercept and decrypt network traffic.
29) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2021-4189)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in the FTP (File Transfer Protocol) client library when using it in PASV (passive) mode. A remote attacker can set up a malicious FTP server, trick the FTP client in Python into connecting back to a given IP address and port, which can lead to FTP client scanning ports which otherwise would not have been possible.
30) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2022-35256)
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
31) Security features bypass (CVE-ID: CVE-2022-26612)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing symbolic links checks when extracting files from TAR archives on Windows. A remote attacker can trick the victim to open a specially crafted archive and overwrite files on the system.
32) Integer overflow (CVE-ID: CVE-2022-29824)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*). A remote attacker can pass specially crafted multi-gigabyte XML file to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
33) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2021-40528)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to use of a broken or risky cryptographic algorithm in the ElGamal implementation. A remote attacker can gain unauthorized access to sensitive information on the system.
34) Missing Authentication for Critical Function (CVE-ID: CVE-2022-31176)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.
35) Out-of-bounds read (CVE-ID: CVE-2022-1586)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary condition in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. A remote attacker can pass specially crafted data to the application, trigger out-of-bounds read error, gain access to sensitive information or perform a denial of service attack.
36) Use-after-free (CVE-ID: CVE-2022-2526)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error within the on_stream_io() and dns_stream_complete() functions in resolved-dns-stream.c, which do not increment the reference counting for the DnsStream object. A remote attacker can send to the system specially crafted DNS responses, trigger a use-after-free error and perform a denial of service (DoS) attack.
37) Input validation error (CVE-ID: CVE-2022-24434)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a modified form to server, and crash the nodejs service. An attacker can sent the payload again and again so that the service continuously crashes.
38) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2020-8912)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A local user can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR.
39) Improper Restriction of Rendered UI Layers or Frames (CVE-ID: CVE-2021-46708)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim into opening a specially crafted URL to hijack the victim's click actions and possibly launch further attacks against the victim.
40) Incorrect Regular Expression (CVE-ID: CVE-2022-31129)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of user-supplied input when parsing overly long strings. A remote attacker can pass a string that contains more that 10k characters and perform regular expression denial of service (ReDoS) attack.
41) Use of insufficiently random values (CVE-ID: CVE-2022-35255)
The vulnerability allows a remote attacker to decrypt sensitive information.
The vulnerability exists due to usage of weak randomness in WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. A remote attacker can decrypt sensitive information.
42) Authentication Bypass by Spoofing (CVE-ID: CVE-2022-22476)
The vulnerability allows a remote attacker to execute identity spoofing attacks.
The vulnerability exists due to an unspecified error in IBM WebSphere Application Server Liberty. A remote authenticated user can send a specially crafted request to perform identity spoofing attacks.
43) Infinite loop (CVE-ID: CVE-2021-3737)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop. A remote attacker who controls a malicious server can force the client to enter an infinite loop on a 100 Continue response.
44) Resource exhaustion (CVE-ID: CVE-2022-34917)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote non-authenticated attacker with ability to establish a network connection with the Apache Kafka broker can consume all available memory resources on the system and perform a denial of service (DoS) attack.
45) Observable discrepancy (CVE-ID: CVE-2021-29446)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. A remote attacker can gain unauthorized access to sensitive information on the system.
46) Heap-based buffer overflow (CVE-ID: CVE-2021-37404)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when opening a file path within the libhdfs native code. A remote attacker can pass specially crafted input to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
47) OS Command Injection (CVE-ID: CVE-2022-25168)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation within the FileUtil.unTar(File, File) API. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
48) Open redirect (CVE-ID: CVE-2022-33987)
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to requested URLs are not verified and allow open redirection to a local UNIX socket. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
49) Observable discrepancy (CVE-ID: CVE-2021-29445)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. A remote attacker can gain unauthorized access to sensitive information on the system.
50) Input validation error (CVE-ID: CVE-2017-1000048)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
51) Insufficient Session Expiration (CVE-ID: CVE-2021-34428)
The vulnerability allows an attacker to gain access to sensitive information.
The vulnerability exists due to insufficient session expiration issue. If an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated.
52) Information disclosure (CVE-ID: CVE-2021-28163)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink, the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download.
53) Input validation error (CVE-ID: CVE-2021-28164)
The vulnerability allows a remote attacker to gain access to sensitive informatoin.
The vulnerability exists due to insufficient validation of user-supplied input when processing special characters, passed via URI. A remote attacker can use %2e or %2e%2e segments to access protected resources within the WEB-INF directory.
Example:
http://[host]/context/%2e/WEB-INF/web.xml
54) Resource exhaustion (CVE-ID: CVE-2021-28165)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing large TLS frames. A remote attacker can send specially crafted data to the server, trigger CPU high load and perform a denial of service (DoS) attack.
55) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2020-15168)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.The vulnerability exists due to node-fetch does not honor the size option after following a redirect. A remote attacker can pass specially crafted data to the application and perform a denial of service attack.
56) Observable discrepancy (CVE-ID: CVE-2021-29444)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. A remote attacker can gain unauthorized access to sensitive information on the system.
Remediation
Install update from vendor's website.