SB2024082749 - Multiple vulnerabilities in IBM Cloud Pak System

Security Bulletin ID SB2024082749

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2012-5784)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to Apache Axis did not verify that the server host name matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. A remote attacker can pass specially crafted input to the application and spoof an SSL server if they had a certificate that was valid for any domain name.

2) Input validation error (CVE-ID: CVE-2014-3596)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784. <a href="http://cwe.mitre.org/data/definitions/297.html" target="_blank">CWE-297: Improper Validation of Certificate with Host Mismatch</a>

Remediation

Install update from vendor's website.

References

https://www.ibm.com/support/pages/node/7142012