SB2024042406 - Multiple vulnerabilities in IBM MobileFirst Platform Foundation

Description

This security bulletin contains information about 31 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2021-22096)

The vulnerability allows a remote attacker to modify existing log records.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and inject arbitrary records into log files.

2) Code Injection (CVE-ID: CVE-2021-23369)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) Prototype Pollution (CVE-ID: CVE-2021-23383)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation when selecting certain compiling options to compile templates. A remote attacker can execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

4) Cross-site scripting (CVE-ID: CVE-2019-20920)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

5) Prototype pollution (CVE-ID: CVE-2022-22912)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.

6) Cross-site request forgery (CVE-ID: CVE-2013-6429)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to SourceHttpMessageConverter in Spring MVC in Spring Framework does not disable external entity resolution. A remote attacker can trick the victim into visiting a specially crafted web page to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML.

7) Improper input validation (CVE-ID: CVE-2020-5421)

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the Core (Spring Framework) component in Oracle Communications Session Report Manager. A remote authenticated user can exploit this vulnerability to read and manipulate data.

8) Cross-site scripting (CVE-ID: CVE-2013-6430)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework does not properly escape certain characters. The vulnerability allows remote user to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

9) Command Injection (CVE-ID: CVE-2021-42740)

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the regex designed to support Windows drive letters before passing it into the exec() call. A remote attacker can pass specially crafted payload to the application and execute arbitrary code on the system.

10) Improper privilege management (CVE-ID: CVE-2018-1272)

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The weakness exists due to improper processing of multipart requests. A remote attacker can make a multipart request that injects malicious content to the target server, cause it to use wrong values and gain root privileges.

11) Cross-site request forgery (CVE-ID: CVE-2014-0054)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework does not disable external entity resolution. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

12) Configuration (CVE-ID: CVE-2011-2730)

The issue may allow a local user to bypass implemented security restrictions.

The issue exists due to the possibility to bypass implemented security restrictions, related to secure boot. it was addressed by rebuilding the package with the new secure boot key.

13) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-7315)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to Spring MVC in Spring Framework does not disable external entity resolution for the StAX XMLInputFactory. A remote attacker can read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue.

14) XXE attack (CVE-ID: CVE-2015-3192)

The vulnerability allows a remote attacker to conduct XXe-attack on the target system.

The vulnerability exists in JBoss BPM Suite and BRMS. A remote attacker can cause denial of service conditions by submitting a specially crafted XML file that would cause out-of-memory errors when parsed.

Successful exploitation of this vulnerability may result in denial of service conditions on the target system.

15) XML External Entity injection (CVE-ID: CVE-2014-0225)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to application does not disable by default the resolution of URI references in a DTD declaration when processing user provided XML documents. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.

Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.

16) Infinite loop (CVE-ID: CVE-2019-20922)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when processing specially-crafted templates. A remote attacker can consume all available system resources and cause denial of service conditions.

17) Code Injection (CVE-ID: CVE-2016-10541)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation when processing the ">" and "<" operator used for redirection in shell. A remote attacker can pass specially crafted data to the application and execute arbitrary OS commands on the system.

18) Resource exhaustion (CVE-ID: CVE-2019-1010266)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the software does not properly parse user-supplied input in the Date Handler component. A remote authenticated attacker can send long strings that submit malicious input, which the library attempts to match using a regular expression and consume excessive amounts of CPU resources and cause a DoS condition.

19) Incorrect default permissions (CVE-ID: CVE-2020-17521)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for temporary files and folders that are set by the application. A local user with access to the system can view contents of files and directories or modify them.

20) Privilege escalation (CVE-ID: CVE-2016-6814)

The vulnerability allows a remote attacker to gain elevated privileges.

The weakness exists due to a flaw in the Oracle Enterprise Manager Ops Center Networking (Apache Groovy) component. A remote attacker can escalate his privileges on the target system.

21) Prototype pollution (CVE-ID: CVE-2020-15366)

The disclosed vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary script code.

22) Command injection (CVE-ID: CVE-2017-1000487)

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The weakness exists due to command injection when mishandling of double quoted strings. A remote attacker can submit specially crafted web content, inject and execute arbitrary commands.

23) Prototype polution (CVE-ID: CVE-2020-8203)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when using _.zipObjectDeep in lodash. A remote attacker can inject and execute arbitrary script code.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

24) Code Injection (CVE-ID: CVE-2019-10744)

The vulnerability allows a remote attacker to modify properties on the target system.

The vulnerability exists due to improper input validation in the "defaultsDeep" function. A remote attacker can send a specially crafted request and modify the prototype of "Object" via "{constructor: {prototype: {...}}}" causing the addition or modification of an existing property that will exist on all objects.

25) Code Injection (CVE-ID: CVE-2021-23358)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

26) Command Injection (CVE-ID: CVE-2021-23337)

The vulnerability allows a remote user to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation when processing templates. A remote privileged user can inject and execute arbitrary commands on the system.

27) Input validation error (CVE-ID: CVE-2018-3721)

The vulnerability allows a remote authenticated user to manipulate data.

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via __proto__, causing the addition or modification of an existing property that will exist on all objects.

28) Incorrect Regular Expression (CVE-ID: CVE-2020-28500)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

29) Prototype pollution (CVE-ID: CVE-2018-16487)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within the merge, mergeWith, and defaultsDeep functions. A remote attacker can send a specially crafted request and add or modify properties of Object.prototype.

Successful exploitation of this vulnerability may result in complete compromise of the affected application.

30) Code Injection (CVE-ID: CVE-2021-3918)

The disclosed vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient sanitization of user-supplied data during the validation of a JSON object. A remote attacker can pass a specially crafted JSON file for validation and execute arbitrary code.

31) Prototype pollution (CVE-ID: CVE-2019-19919)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/6857863