SB2025011558 - Multiple vulnerabilities in IBM QRadar User Behavior Analytics

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025011558

SB2025011558 - Multiple vulnerabilities in IBM QRadar User Behavior Analytics

Published: January 15, 2025

Security Bulletin ID SB2025011558
Severity
High
Patch available
YES
Number of vulnerabilities 12
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 8% Medium 67% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 12 secuirty vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2012-6708)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the  jQuery(strInput) function that does not differentiate selectors from HTML. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


2) Infinite loop (CVE-ID: CVE-2019-0205)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when processing user-supplied input. A remote attacker can pass malicious input to the application and consume all available system resources or cause denial of service conditions.


3) Missing Authentication for Critical Function (CVE-ID: CVE-2021-34538)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to CREATE() and DROP() function operations does not check for necessary authorization of involved entities in the query. A remote unauthenticated attacker can manipulate an existing UDF to drop and recreate UDFs pointing them to new jars that could be potentially malicious.


4) Security restrictions bypass (CVE-ID: CVE-2020-9492)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to the way Apache Hadoop handles SPNEGO authorization headers. A remote WebHDFS client can trigger services to send server credentials to a webhdfs path for capturing the service principal.


5) Path traversal (CVE-ID: CVE-2021-29425)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error within the FileNameUtils.normalize method when processing directory traversal sequences, such as "//../foo", or "\..foo". A remote attacker can send a specially crafted request and verify files availability in the parent folder.


6) Cross-site scripting (CVE-ID: CVE-2020-7656)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the load() function. A remote attacker can pass specially crafted HTML code to the application and execute it in browser in security context of the affected website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

PoC:

index.html:

<html>
<head>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.8.3/jquery.js"></script>
</head>
<body>
    <div id="mydiv"></div>
    <script>
        $("#mydiv").load('inject.html #himom');
    </script>
</body>
</html>

inject.html:

<div id="himom"><script>alert('Arbitrary Code Execution');</script ></div>

7) Cross-site scripting (CVE-ID: CVE-2015-9251)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when a cross-domain Ajax request is performed without the dataType option. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary text/javascript responses in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


8) Cross-site scripting (CVE-ID: CVE-2011-4969)

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to improper filtering of HTML code from user-supplied input before displaying the input. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


9) XML External Entity injection (CVE-ID: CVE-2019-10172)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.

Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.


10) Input validation error (CVE-ID: CVE-2019-10202)

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to incorrect implementation of patch for Codehaus 1.9.x against insufficient data deserialization present in FasterXML jackson-databind. A remote attacker can bypass implemented protection measures and exploit known deserialization vulnerabilities in jackson-databind package.

11) Resource management error (CVE-ID: CVE-2021-22569)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application. protobuf-java allowes the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. A remote attacker can trick the victim into passing specially crafted data to the application and perform a denial of service attack.


12) Improper Certificate Validation (CVE-ID: CVE-2012-5783)

The vulnerability allows a remote attacker to perform a man-in-the-middle attack to spoof SSL servers via an arbitrary valid certificate.

The vulnerability exists due to Apache Commons HttpClient does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. A remote attacker can perform a man-in-the-middle attack to spoof SSL servers via an arbitrary valid certificate.


Remediation

Install update from vendor's website.

References