SB2024011022 - Multiple vulnerabilities in IBM Security Verify Access
Published: January 10, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 18 secuirty vulnerabilities.
1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2019-18277)
The vulnerability allows a remote attacker to perform HTTP request smuggling attack.
The vulnerability exists due to incorrect processing of messages with a missing transfer-encoding header, when HAProxy is configured in legacy mode. The server does not reject "chunked" value that combined with the "http-reuse always" setting can lead to HTTP request smuggling attack.
2) Security features bypass (CVE-ID: CVE-2023-2455)
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to incomplete fix for #VU40402 (CVE-2016-2193) that did not anticipate a scenario involving function inlining. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications.
This affects only databases that have used CREATE POLICY to define a row security policy.
3) Out-of-bounds read (CVE-ID: CVE-2022-41862)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A remote attacker can send an unterminated string during the establishment of Kerberos transport encryption, trigger an out-of-bounds read error and read contents of memory on the system.
4) CRLF injection (CVE-ID: CVE-2019-19330)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to insufficient validation of user-supplied input when processing CRLF and NUL character in the HTTP request, while converting headers from HTTP/2 to
HTTP/1. A remote attacker can send a specially crafted HTTP/2 request to the HAProxy and inject arbitrary HTTP headers. Successful exploitation of the vulnerability may allow an attacker to bypass certain security restrictions or perform spoofing attacks.
5) Input validation error (CVE-ID: CVE-2017-18342)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to insufficient validation of user-supplied input in the "yaml.load()" API (yaml.safe_load is not used). A remote attacker can execute arbitrary code on the target system.
6) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2023-25725)
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP/1 requests. A remote attacker can send a specially crafted HTTP request with empty fields, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
7) Deserialization of Untrusted Data (CVE-ID: CVE-2022-1471)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data within the SnakeYaml's Constructor() class. A remote attacker can pass specially crafted yaml content to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
8) Code Injection (CVE-ID: CVE-2023-32697)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
9) Heap-based buffer overflow (CVE-ID: CVE-2015-5237)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
10) Infinite loop (CVE-ID: CVE-2019-14241)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop while processing cookies in the htx_manage_client_side_cookies() function in proto_htx.c. A remote attacker can send a specially crafted request to the proxy server, consume all available system resources and cause denial of service conditions.
11) Heap-based buffer overflow (CVE-ID: CVE-2020-11100)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTTP/2 requests within the hpack_dht_insert() function in hpack-tbl.c (HPACK decoder). A remote attacker can send a specially crafted HTTP/2 request to the affected HAProxy, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
12) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2023-40225)
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially crafted HTTP request with empty Content-Length headers to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
13) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-2625)
The vulnerability allows a remote user to escalate privileges within the database.
The vulnerability exists due to extension scripts can replace objects that do not belong to the extension when using the CREATE OR REPLACE or CREATE IF NOT EXISTS commands. A remote user with (1) permissions to create non-temporary objects in at least one schema, (2) ability to lure
or wait for an administrator to create or update an affected extension
in that schema, and (3) ability to lure or wait for a victim to use the
object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS can run arbitrary code as the victim role.
14) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-2454)
The vulnerability allows a remote user to execute arbitrary code on the system.
The vulnerability exists due to improperly imposed security restrictions. A remote database user with CREATE privilege can bypass protective search_path changes via "CREATE SCHEMA ... schema_element" command and execute arbitrary code on the system.
15) SQL injection (CVE-ID: CVE-2023-39417)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data within the extension script @substitutions@, which uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
16) Improper Check for Dropped Privileges (CVE-ID: CVE-2019-18276)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists in "disable_priv_mode()" function in shell.c due to the affected software attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded. A local user with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges.
17) Uncontrolled Recursion (CVE-ID: CVE-2023-1370)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to uncontrolled recursion when processing nested arrays and objects. A remote attacker can pass specially crafted JSON data to the application and perform a denial of service (DoS) attack.
18) Stack-based buffer overflow (CVE-ID: CVE-2022-45688)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists in the XML.toJSONObject component. A remote unauthenticated attacker can send a specially crafted JSON or XML data, trigger stack-based buffer overflow and perform a denial of service attack.
Remediation
Install update from vendor's website.