SB2023102037 - Multiple vulnerabilities in IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift

Description

This security bulletin contains information about 14 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-27589)

The vulnerability allows a remote privileged user to bypass security restrictions.

The vulnerability exists due to application does not properly impose security restrictions. A remote user with `consoleAdmin` permissions can potentially create a user that matches the root credential `accessKey`

2) Path traversal (CVE-ID: CVE-2022-41720)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to the way os.DirFS function and http.Dir type handle empty values on Windows, allowing an attacker with control over the path to view arbitrary files on the system.

3) Resource exhaustion (CVE-ID: CVE-2022-41727)

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A local attacker can trick the victim into opening a specially crafted malformed TIFF image, trigger resource exhaustion and perform a denial of service (DoS) attack.

4) Resource exhaustion (CVE-ID: CVE-2022-41725)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper control over internal resources in net/http and mime/multipart. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

5) Path traversal (CVE-ID: CVE-2022-41722)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within the filepath.Clean() function on Windows, which can transform an invalid path such as "a/../c:/b" into the valid path "c:". As a result, an attacker can read arbitrary files on the system.

6) Insufficient verification of data authenticity (CVE-ID: CVE-2022-23491)

The vulnerability allows a remote attacker to bypass certificate validation checks.

The vulnerability exists due to presence of the TrustCor certificate in the Root Certificates list. the certificate is removed due to TrustCor's ownership also operated a business that produced spyware. Therefore, any checks that rely on digital signatures of trusted certificates were compromised.

7) Incorrect Regular Expression (CVE-ID: CVE-2022-40897)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing HTML content. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

8) Resource management error (CVE-ID: CVE-2022-41724)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources in crypto/tls when handling large TLS handshake records. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.

The vulnerability affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

9) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2022-41717)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive memory growth when handling HTTP/2 server requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

10) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2022-41721)

The vulnerability allows a remote attacker to perform HTTP/2 request smuggling attacks.

The vulnerability exists due to improper validation of HTTP/2 requests when using MaxBytesHandler. A remote attacker can send a specially crafted HTTP/2 request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

11) Resource exhaustion (CVE-ID: CVE-2022-41723)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in the HPACK decoder. A remote attacker can send a specially crafted HTTP/2 stream to the application, cause resource exhaustion and perform a denial of service (DoS) attack.

12) Double Free (CVE-ID: CVE-2023-25136)

The vulnerability allows a remote attacker to potentially execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the sshd(8) daemon. A remote non-authenticated attacker can send  specially crafted data to the application, trigger a double free error and execute arbitrary code on the target system.

The vendor believes exploitation of this vulnerability has limitations as double free occurs "in the unprivileged pre-auth process that is subject to chroot(2) and is further sandboxed on most major platforms". Nevertheless we assign a high risk to this vulnerability.

13) Input validation error (CVE-ID: CVE-2022-41716)

The vulnerability allows a local user to execute arbitrary OS commands on the system.

The vulnerability exists due to insecure processing of unsanitized NUL values in syscall.StartProcess and os/exec.Cmd. A local user on the Windows operating system can set a specially crafted environment variable and execute arbitrary OS commands on the system.

14) Input validation error (CVE-ID: CVE-2022-40898)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input passed to wheel cli. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/6965352