SB2025012735 - Multiple vulnerabilities in IBM Storage Copy Data Management

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025012735

SB2025012735 - Multiple vulnerabilities in IBM Storage Copy Data Management

Published: January 27, 2025 Updated: November 28, 2025

Security Bulletin ID SB2025012735
Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Out-of-bounds read (CVE-ID: CVE-2024-5535)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition within the SSL_select_next_proto() function when using NPN. A remote attacker can send specially crafted data to the application, trigger an out-of-bounds read and perform a denial of service (DoS) attack.


2) Out-of-bounds read (CVE-ID: CVE-2024-36124)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due Snappy tries to read outside the bounds of the given byte arrays when uncompressing certain data. A remote attacker can create a non-deterministic behavior or crash the JVM.


3) Improper Certificate Validation (CVE-ID: CVE-2024-2379)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to improper certificate validation for a QUIC connection under certain conditions, when built to use wolfSSL. A remote attacker can force the application to ignore the certificate and perform MitM attack.

Successful exploitation of the vulnerability requires that the used wolfSSL library was built with the OPENSSL_COMPATIBLE_DEFAULTS symbol set, which is not set for the recommended configure --enable-curl builds.


4) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2024-2398)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error when sending HTTP/2 server push responses with an overly large number of headers. A remote attacker can send PUSH_PROMISE frames with an excessive amount of headers to the application, trigger memory leak and perform a denial of service (DoS) attack.


5) Improper validation of certificate with host mismatch (CVE-ID: CVE-2024-2466)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to libcurl does not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. A remote attacker force the application to completely skip the certificate check and perform MitM attack.


6) Input validation error (CVE-ID: CVE-2024-2004)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to an error when a protocol selection parameter option disables all protocols without adding any. As a result, the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols.


Remediation

Install update from vendor's website.

References