SB2025012324 - Multiple vulnerabilities in IBM Spectrum Scale for IBM Elastic Storage Server

Security Bulletin ID SB2025012324

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) LDAP injection (CVE-ID: CVE-2021-39031)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to improper input validation when processing DLAP queries. A remote user can send a specially crafted request to modify the original LDAP query and gain unauthorized access to the application.

2) Spoofing attack (CVE-ID: CVE-2021-39038)

The vulnerability allows a remote attacker to perform clickjacking attack.

The vulnerability exists due to incorrect processing of user-supplied data, when REST API discovery is configured through the WebSphere administrative console Web Container settings to enable the API Discovery service, or through IBM WebSphere Application Server Liberty features mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0, apiDiscovery-1.0, openapi-3.0 or openapi-3.1. A remote attacker can perform clickjacking attack.

Remediation

Install update from vendor's website.

References

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-websphere-application-server-liberty-affects-ibm-spectrum-scale-packaged-in-ibm-ess-cve-2021-39031/