SB2023102326 - Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps

Description

This security bulletin contains information about 25 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2023-24999)

The vulnerability allows a remote user to perform a denial of service attack.

The vulnerability exists due to the way the application handles authentication based on Approle SecretID. A remote user with access to the "/auth/approle/role/:role_name/secret-id-accessor/destroy" endpoint can destroy the secret ID of any other role by providing the secret ID accessor and disable access to Vault for other users.

2) Input validation error (CVE-ID: CVE-2022-21698)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within method label cardinality. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

3) Improper input validation (CVE-ID: CVE-2021-3572)

The vulnerability allows a remote authenticated user to manipulate data.

The vulnerability exists due to improper input validation within the Policy (python-pip) component in Oracle Communications Cloud Native Core Policy. A remote authenticated user can exploit this vulnerability to manipulate data.

4) Improper validation of certificate with host mismatch (CVE-ID: CVE-2021-28363)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to urllib3 library for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted. A remote attacker can supply a valid SSL certificate for a different hostname and perform Man-in-the-Middle (MitM) attack.

5) Path traversal (CVE-ID: CVE-2019-20916)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences passed via URL to the install command within the _download_http_url() function in _internal/download.py. A remote attacker can send a specially crafted HTTP request with the Content-Disposition header that contains directory traversal characters in the filename and overwrite the /root/.ssh/authorized_keys file.

6) Incorrect Regular Expression (CVE-ID: CVE-2023-22467)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an incorrect regular expression when parsing untrusted input within the Luxon's DateTime.fromRFC2822() function. A remote attacker can causes a noticeable slowdown for inputs with lengths above 10k characters.

Note, this is the same vulnerability as #VU65835 (CVE-2022-31129) reported earlier for moment.js.

7) Resource exhaustion (CVE-ID: CVE-2023-25577)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when parsing multipart form data with many fields. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

8) Input validation error (CVE-ID: CVE-2023-23934)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of "nameless" cookies. A remote attacker can manipulate cookie values for an arbitrary domain.

9) Input validation error (CVE-ID: CVE-2023-0845)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user with service:write permissions can configure the upstreams to reference a peering destination and crash the Consul server or client agent hosting the xDS connection to an API gateway or ingress gateway.

10) Cross-site scripting (CVE-ID: CVE-2020-11022)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the regex operation in "jQuery.htmlPrefilter". A remote attacker can pass specially crafted data to the application that uses .html()</code>, <code>.append() or similar methods for it and execute arbitrary JavaScript code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

11) Cross-site scripting (CVE-ID: CVE-2020-11023)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when passing <option> elements to jQuery’s DOM manipulation methods. A remote attacker can execute arbitrary JavaScript code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

12) Prototype pollution (CVE-ID: CVE-2019-11358)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.

13) Cross-site scripting (CVE-ID: CVE-2015-9251)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when a cross-domain Ajax request is performed without the dataType option. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary text/javascript responses in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

14) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2021-43797)

The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests when processing control chars present at the beginning / end of the header name. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

15) Out-of-bounds write (CVE-ID: CVE-2022-1304)

The vulnerability allows a local attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input. A local attacker can use a specially crafted filesystem, trigger out-of-bounds write and execute arbitrary code on the target system.

16) Insufficient verification of data authenticity (CVE-ID: CVE-2022-23491)

The vulnerability allows a remote attacker to bypass certificate validation checks.

The vulnerability exists due to presence of the TrustCor certificate in the Root Certificates list. the certificate is removed due to TrustCor's ownership also operated a business that produced spyware. Therefore, any checks that rely on digital signatures of trusted certificates were compromised.

17) Out-of-bounds write (CVE-ID: CVE-2020-36518)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can trigger out-of-bounds write and cause a denial of service condition on the target system.

18) Out-of-bounds write (CVE-ID: CVE-2022-38751)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing untrusted YAML input. A remote attacker can pass a specially crafted YAML file to the application, trigger out-of-bounds write and perform a denial of service (DoS) attack.

19) Stack-based buffer overflow (CVE-ID: CVE-2022-38750)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when handling YAML files. A remote attacker can pass a specially crafted YAML file to the application, trigger a stack-based buffer overflow and perform a denial of service (DoS) attack.

20) Stack-based buffer overflow (CVE-ID: CVE-2022-38749)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when handling YAML files. A remote attacker can pass a specially crafted YAML file to the application, trigger a stack-based buffer overflow and perform a denial of service (DoS) attack.

21) Resource exhaustion (CVE-ID: CVE-2022-25857)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling YAML files. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

22) Stored cross-site scripting (CVE-ID: CVE-2022-31777)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in log viewer UI. A remote attacker can permanently inject arbitrary JavaScript code into the application logs and execute it in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

23) Path traversal (CVE-ID: CVE-2023-24815)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences, when running vertx web applications that serve files using `StaticHandler` on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (`*`). A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

24) Inefficient regular expression complexity (CVE-ID: CVE-2022-25901)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions within the Cookie.parse function. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

25) Information disclosure (CVE-ID: CVE-2023-0044)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists if Quarkus Form Authentication session cookie Path attribute is set to "/". A remote attacker can perform a cross-site attack and obtain sensitive information from the cookie. The vulnerability affects Vert.x HTTP component.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/6967012