SB2024080589 - Multiple vulnerabilities in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data
Published: August 5, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 27 secuirty vulnerabilities.
1) Release of invalid pointer or reference (CVE-ID: CVE-2023-0216)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to invalid pointer dereference in d2i_PKCS7 functions. A remote attacker can perform a denial of service (DoS) attack.
2) Out-of-bounds read (CVE-ID: CVE-2023-48161)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the DumpSCreen2RGB() function in gif2rgb.c. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
3) Information disclosure (CVE-ID: CVE-2023-46218)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error in curl that allows a malicious HTTP server to set "super cookies" that are then passed back to more origins than what is otherwise allowed or possible. A remote attacker can force curl to send such cookie to different and unrelated sites and domains.
4) Reachable Assertion (CVE-ID: CVE-2023-38473)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the avahi_alternative_host_name() function. A local user can pass specially crafted data to the application and perform a denial of service (DoS) attack.
5) Reachable Assertion (CVE-ID: CVE-2023-38472)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the avahi_rdata_parse() function. A local user can pass specially crafted data to the application and perform a denial of service (DoS) attack.
6) Reachable Assertion (CVE-ID: CVE-2023-38471)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the dbus_set_host_name() function. A local user can perform a denial of service (DoS) attack.
7) Reachable Assertion (CVE-ID: CVE-2023-38470)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the avahi_escape_label() function. A remote attacker can send specially crafted packets to the system and perform a denial of service (DoS) attack.
8) Reachable Assertion (CVE-ID: CVE-2023-38469)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the avahi_dns_packet_append_record() function. A remote attacker can send specially crafted packets to the system and perform a denial of service (DoS) attack.
9) Improper synchronization (CVE-ID: CVE-2023-28320)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper synchronization when resolving host names using the alarm() and siglongjmp() function. A remote attacker can force the application to crash by influencing contents of the global buffer.
10) Use-after-free (CVE-ID: CVE-2023-28319)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a use-after-free error when checking the SSH sha256 fingerprint. A remote attacker can use the application to connect to a malicious SSH server, trigger a use-after-free error and gain access to potentially sensitive information.
Successful exploitation of the vulnerability requires usage of the the CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 option, and also CURLOPT_VERBOSE or CURLOPT_ERRORBUFFER options have to be set.
11) Input validation error (CVE-ID: CVE-2023-27534)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input in the SFTP support when handling the tilde "~" character in the filepath. cURL will replace the tilde character to the current user's home directory and can reveal otherwise restricted files.
12) Input validation error (CVE-ID: CVE-2023-27533)
The vulnerability allows a remote attacker to manipulate requests.
The vulnerability exists due to missing documentation of the TELNET protocol support and the ability to pass on user name and "telnet options" for the server negotiation. A remote attacker can manipulate the connection sending unexpected data to the server via the affected client.
13) NULL pointer dereference (CVE-ID: CVE-2023-0401)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error during PKCS7 data verification. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
14) NULL pointer dereference (CVE-ID: CVE-2023-0217)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when validating the DSA public key. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
15) Improper locking (CVE-ID: CVE-2022-3996)
The vulnerability allows a remote attacker to perform a denial of service attack (DoS).
The vulnerability exists due to double-locking error if an X.509 certificate contains a malformed policy constraint and policy processing is enabled. A remote attacker can under certain circumstances perform a denial of service attack against the web server.
Successful exploitation of the vulnerability requires that policy processing being enabled on the server.
16) Resource exhaustion (CVE-ID: CVE-2022-32205)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to curl does not impose limits to the size of cookies stored in the system. A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and consume all available disk space.
17) Resource management error (CVE-ID: CVE-2022-27775)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper management of internal resources when handling IPv6 protocol. Due to errors in the logic, the config matching function did not take the IPv6 address zone id into account which could lead to libcurl reusing the wrong connection when one transfer uses a zone id and a subsequent transfer uses another (or no) zone id.
18) Memory leak (CVE-ID: CVE-2021-3998)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due memory leak in glibc realpath() function. A remote attacker can force the application to leak memory and perform denial of service attack or gain access to sensitive information.
19) NULL pointer dereference (CVE-ID: CVE-2021-38604)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the "sysdeps/unix/sysv/linux/mq_notify.c" file within NOTIFY_REMOVED data. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
20) Cleartext transmission of sensitive information (CVE-ID: CVE-2021-22946)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error, related to incorrect enforcement of the --ssl-reqd option on the command line or CURLOPT_USE_SSL setting set to CURLUSESSL_CONTROL or CURLUSESSL_ALL with libcurl. A remote attacker with control over the IMAP, POP3 or FTP server can send a specially crafted but perfectly legitimate response to the libcurl client and force it silently to continue its operations without TLS encryption and transmit data in clear text over the network.
21) Use of Uninitialized Variable (CVE-ID: CVE-2021-22925)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to usage of uninitialized variable in code, responsible for processing TELNET requests when parsing NEW_ENV variables. A remote attacker can force the affected application to connect to a telnet server under attackers control and read up to 1800 bytes from the uninitialized memory on the libcurl client system.
22) Insufficiently protected credentials (CVE-ID: CVE-2021-22923)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficiently protected credentials. A remote attacker can gain access to sensitive information on the target system.
23) Use-after-free (CVE-ID: CVE-2021-22901)
The vulnerability allows a remote attacker to crash the application or compromise the vulnerable system.
The vulnerability exists due to a use-after-free error when processing creation of new TLS sessions or during client certificate negotiation. A remote attacker can force the application to connect to a malicious server, trigger a use-after-free error and crash the application.
Remote code execution is also possible if the application can be forced to initiate multiple transfers with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection in order to inject a crafted memory content into the correct place in memory.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system but requires that libcurl is using OpenSSL.
24) Use of uninitialized variable (CVE-ID: CVE-2021-22898)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to usage of uninitialized variable in code, responsible for processing TELNET requests when parsing NEW_ENV variables. A remote attacker can force the affected application to connect to a telnet server under attackers control and read up to 1800 bytes from the uninitialized memory on the libcurl client system.
Proof of concept:
curl telnet://example.com -tNEW_ENV=a,bbbbbb (256 'b's)25) Input validation error (CVE-ID: CVE-2017-6519)
The vulnerability allows remote attackers to perform a denial of service (DoS) attack.
The vulnerability exists due to avahi-daemon inadvertently responds to IPv6 unicast queries with source addresses that are not on-link. A remote attacker can submit specially crafted port-5353 UDP packet to trigger traffic amplification and cause the service to crash.
26) Insufficient UI Warning of Dangerous Operations (CVE-ID: CVE-2005-0602)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to Unzip does not properly warn the user when extracting setuid or setgid files. A local user can trigger the vulnerability and escalate privileges on the system.
27) Path traversal (CVE-ID: CVE-2001-1268)
The vulnerability allows a local user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A local user can send a specially crafted HTTP request and to overwrite arbitrary files during archive extraction via a . (dot dot) in an extracted filename.
Remediation
Install update from vendor's website.