SB2025010822 - Multiple vulnerabilities in IBM Big SQL on Cloud Pak for Data 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025010822

SB2025010822 - Multiple vulnerabilities in IBM Big SQL on Cloud Pak for Data

Published: January 8, 2025

Security Bulletin ID SB2025010822
Severity
Medium
Patch available
YES
Number of vulnerabilities 9
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 22% Low 78%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 9 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2023-35116)

The vulnerability allows a remote authenticated user to perform service disruption.

The vulnerability exists due to improper input validation within the Oracle Database Fleet Patching and Provisioning (jackson-databind) in Oracle Database Server. A remote authenticated user can exploit this vulnerability to perform service disruption.


2) Information disclosure (CVE-ID: CVE-2023-38729)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote user can gain unauthorized access to sensitive information on the system.


3) Input validation error (CVE-ID: CVE-2012-2677)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Integer overflow in the ordered_malloc function in boost/pool/pool.hpp in Boost Pool before 3.9 makes it easier for context-dependent attackers to perform memory-related attacks such as buffer overflows via a large memory chunk size value, which causes less memory to be allocated than expected.


4) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2024-25030)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files. A local user can read the log files and gain access to sensitive data.


5) Input validation error (CVE-ID: CVE-2024-25046)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.


6) Resource exhaustion (CVE-ID: CVE-2024-27254)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.


7) Input validation error (CVE-ID: CVE-2023-52296)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.


8) Resource exhaustion (CVE-ID: CVE-2024-22360)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.


9) Improper input validation (CVE-ID: CVE-2021-28170)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Policy (Jakarta) component in Oracle Communications Cloud Native Core Policy. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.


Remediation

Install update from vendor's website.

References