Multiple vulnerabilities in IBM QRadar SIEM



Risk High
Patch available YES
Number of vulnerabilities 9
CVE-ID CVE-2019-17571
CVE-2022-23305
CVE-2022-23307
CVE-2020-9493
CVE-2021-4104
CVE-2020-9488
CVE-2023-24329
CVE-2022-23302
CVE-2022-34352
CVE-2023-43041
CWE-ID CWE-502
CWE-89
CWE-295
CWE-20
CWE-639
CWE-284
Exploitation vector Network
Public exploit N/A
Vulnerable software
IBM Qradar SIEM
Client/Desktop applications / Other client software

Vendor IBM Corporation

Security Bulletin

This security bulletin contains information about 9 vulnerabilities.

1) Deserialization of Untrusted Data

EUVDB-ID: #VU27960

Risk: Medium

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17571

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data within the SocketServer class in Log4j. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system,  if these is a deserialization gadget listening to untrusted network traffic for log data.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Qradar SIEM: 7.5 - 7.5.0

CPE2.3 External links

http://www.ibm.com/support/pages/node/7060803


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) SQL injection

EUVDB-ID: #VU59691

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-23305

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the JDBCAppender. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Note, a non-default configuration with enabled JDBCAppender is required to exploit the vulnerability.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Qradar SIEM: 7.5 - 7.5.0

CPE2.3 External links

http://www.ibm.com/support/pages/node/7060803


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Deserialization of Untrusted Data

EUVDB-ID: #VU59693

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-23307,CVE-2020-9493

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Qradar SIEM: 7.5 - 7.5.0

CPE2.3 External links

http://www.ibm.com/support/pages/node/7060803


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Deserialization of Untrusted Data

EUVDB-ID: #VU58977

Risk: Medium

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-4104

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data in JMSAppender, when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution.

Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Qradar SIEM: 7.5 - 7.5.0

CPE2.3 External links

http://www.ibm.com/support/pages/node/7060803


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper Certificate Validation

EUVDB-ID: #VU27487

Risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-9488

CWE-ID: CWE-295 - Improper Certificate Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform man-in-the-middle attack.

The vulnerability exists due to the Apache Log4j SMTP appender does not validate SSL certificates. A remote attacker can perform a MitM attack, intercept and decrypt network traffic.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Qradar SIEM: 7.5 - 7.5.0

CPE2.3 External links

http://www.ibm.com/support/pages/node/7060803


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Input validation error

EUVDB-ID: #VU72618

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-24329

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented filters.

The vulnerability exists due to insufficient validation of URLs that start with blank characters within urllib.parse component of Python. A remote attacker can pass specially crafted URL to bypass existing filters.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Qradar SIEM: 7.5 - 7.5.0

CPE2.3 External links

http://www.ibm.com/support/pages/node/7060803


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Deserialization of Untrusted Data

EUVDB-ID: #VU59692

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-23302

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data in JMSSink. A remote attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests and execute arbitrary code on the target system.

Note, a non-default configuration with support for JMSSink is required to exploit this vulnerability.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Qradar SIEM: 7.5 - 7.5.0

CPE2.3 External links

http://www.ibm.com/support/pages/node/7060803


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Authorization bypass through user-controlled key

EUVDB-ID: #VU77646

Risk: Low

CVSSv3.1: 2.4 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-34352

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

Exploit availability: No

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to missing permissions checks. A remote delegated Admin tenant user with a specific domain security profile assigned can see data from other domains.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Qradar SIEM: 7.5 - 7.5.0

CPE2.3 External links

http://www.ibm.com/support/pages/node/7060803


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Improper access control

EUVDB-ID: #VU82572

Risk: Low

CVSSv3.1: 2.4 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-43041

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A delegated Admin tenant user with a specific domain security profile assigned to see data from other domains.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Qradar SIEM: 7.5 - 7.5.0

CPE2.3 External links

http://www.ibm.com/support/pages/node/7060803


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###