SB2024041506 - Multiple vulnerabilities in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data
Published: April 15, 2024 Updated: February 21, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 18 secuirty vulnerabilities.
1) Expected behavior violation (CVE-ID: CVE-2023-28322)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a logic error when sending HTTP POST and PUT requests using the same handle. The libcurl can erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. As a result, the application can misbehave and either send off the wrong data or use memory after free or similar in the second transfer.
2) Stack-based buffer overflow (CVE-ID: CVE-2024-22667)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the did_set_langmap() function in map.c. A remote attacker can trick the victim to open a specially crafted file, trigger a stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Off-by-one (CVE-ID: CVE-2023-6779)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to an off-by-one error within the __vsyslog_internal() function. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.
4) Observable discrepancy (CVE-ID: CVE-2023-6135)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a side-channel attack in multiple NSS NIST curves, known as "Minerva". A remote attacker can recover the private key and decrypt data passed between server and client.
5) Cryptographic issues (CVE-ID: CVE-2023-5363)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error when processing key and initialisation vector lengths in EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() function. A remote attacker can gain access to potentially sensitive information.
The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.
6) Input validation error (CVE-ID: CVE-2023-50495)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the _nc_wrap_entry() function. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
7) Use-after-free (CVE-ID: CVE-2023-4813)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error within the gaih_inet() function when the getaddrinfo() function is called and the hosts database in
/etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
8) Out-of-bounds read (CVE-ID: CVE-2023-4527)
The vulnerability allows a remote attacker to gain access to potentially sensitive information or perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the getaddrinfo() function called with the AF_UNSPEC address family. A remote attacker with control over DNS server can send a DNS response via TCP larger than 2048 bytes, trigger an out-of-bounds read and crash the application or gain access to potentially sensitive information.
Successful exploitation of the vulnerability requires that system is configured with no-aaaa mode via /etc/resolv.conf.
9) Heap-based buffer overflow (CVE-ID: CVE-2023-38545)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the SOCKS5 proxy handshake. A remote attacker can trick the victim to visit a malicious website, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that SOCKS5 proxy is used and that SOCKS5 handshake is slow (e.g. under heavy load or DoS attack).
10) Improper certificate validation (CVE-ID: CVE-2023-28321)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to improper certificate validation when matching wildcards in TLS certificates for IDN names. A remote attacker crate a specially crafted certificate that will be considered trusted by the library.
Successful exploitation of the vulnerability requires that curl is built to use OpenSSL, Schannel or Gskit.
11) Out-of-bounds read (CVE-ID: CVE-2023-1255)
The vulnerability allows an attacker to perform a denial of service (DoS) attack.
12) Use-after-free (CVE-ID: CVE-2022-43552)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error while processing denied requests from HTTP proxies when using SMB or TELNET protocols. A remote attacker can trigger a use-after-free error and crash the application.
13) Out-of-bounds read (CVE-ID: CVE-2022-4203)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition when performing name constraint checking of the X.509 certificates. A remote attacker can pass a specially crafted X.509 certificate to the affected server, trigger an out-of-bounds read error and read contents of memory on the system.
14) Heap-based buffer overflow (CVE-ID: CVE-2022-3715)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in valid_parameter_transform() function in GNU bash. A local user can trigger a heap-based buffer overflow and execute arbitrary code on the target system.
15) Input validation error (CVE-ID: CVE-2022-35252)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the way curl handles cookies with control codes (byte values below 32). When cookies that contain such control codes are later sent back to an
HTTP(S) server, it might make the server return a 400 response, effectively allowing a "sister site" to deny service to siblings.
16) Expected behavior violation (CVE-ID: CVE-2022-32221)
The vulnerability allows a remote attacker to force unexpected application behavior.
The vulnerability exists due to a logic error for a reused handle when processing subsequent HTTP PUT and POST requests. The libcurl can erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request, which used that callback. As a result, such behavior can influence application flow and force unpredictable outcome.
17) Incorrect default permissions (CVE-ID: CVE-2022-32207)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to incorrect default permissions set to cookies, alt-svc and hsts data stored in local files. A local user with ability to read such files can gain access to potentially sensitive information.
18) Infinite loop (CVE-ID: CVE-2022-27781)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when handling requests with the CURLOPT_CERTINFO option. A remote attacker can consume all available system resources and cause denial of service conditions.
Remediation
Install update from vendor's website.