Multiple vulnerabilities in IBM InfoSphere Information Server

Published: 2024-09-16

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2024-21131 CVE-2024-27267
CWE-ID	CWE-20 CWE-362
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	IBM InfoSphere Information Server Server applications / Database software
Vendor	IBM Corporation

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Improper input validation

EUVDB-ID: #VU94559

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-21131

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM InfoSphere Information Server: All versions

External links

http://www.ibm.com/support/pages/node/7168397

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Race condition

EUVDB-ID: #VU97226

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-27267

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')