SB2025021122 - Multiple vulnerabilities in IBM Watson Studio on Cloud Pak for Data - Execution Engine for Apache Hadoop

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025021122

SB2025021122 - Multiple vulnerabilities in IBM Watson Studio on Cloud Pak for Data - Execution Engine for Apache Hadoop

Published: February 11, 2025 Updated: February 21, 2025

Security Bulletin ID SB2025021122
Severity
High
Patch available
YES
Number of vulnerabilities 24
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 4% Medium 71% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 24 secuirty vulnerabilities.


1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2023-23916)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect implementation of the "chained" HTTP compression algorithms, where the number of links in the decompression chain was limited for each header instead of the entire request. A remote attacker can send a specially crafted compressed HTTP request with numerous headers and perform a denial of service (DoS) attack.


2) Expected behavior violation (CVE-ID: CVE-2023-28322)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a logic error when sending HTTP POST and PUT requests using the same handle. The libcurl can erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. As a result, the application can misbehave and either send off the wrong data or use memory after free or similar in the second transfer.


3) Input validation error (CVE-ID: CVE-2022-35252)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the way curl handles cookies with control codes (byte values below 32). When cookies that contain such control codes are later sent back to an HTTP(S) server, it might make the server return a 400 response, effectively allowing a "sister site" to deny service to siblings.


4) Resource exhaustion (CVE-ID: CVE-2022-32205)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to curl does not impose limits to the size of cookies stored in the system. A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and consume all available disk space.


5) Insufficiently protected credentials (CVE-ID: CVE-2021-22923)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficiently protected credentials. A remote attacker can gain access to sensitive information on the target system.


6) Use of Uninitialized Variable (CVE-ID: CVE-2021-22925)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to usage of uninitialized variable in code, responsible for processing TELNET requests when parsing NEW_ENV variables. A remote attacker can force the affected application to connect to a telnet server under attackers control and read up to 1800 bytes from the uninitialized memory on the libcurl client system.


7) Use-after-free (CVE-ID: CVE-2022-43552)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error while processing denied requests from HTTP proxies when using SMB or TELNET protocols. A remote attacker can trigger a use-after-free error and crash the application.



8) Insufficient verification of data authenticity (CVE-ID: CVE-2021-22947)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists in the way libcurl handles the STARTTLS negotiation process. When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level, the server can still respond and send back multiple responses before the TLS upgrade. Such multiple "pipelined" responses are cached by curl. curl would then upgrade to TLS but not flush the in-queue of cached responses and instead use and trust the responses it got before the TLS handshake as if they were authenticated.

Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.

Over POP3 and IMAP an attacker can inject fake response data.


9) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2022-32208)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to improper handling of message verification failures when performing FTP transfers secured by krb5. A remote attacker can perform MitM attack and manipulate data.


10) Improper certificate validation (CVE-ID: CVE-2023-28321)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to improper certificate validation when matching wildcards in TLS certificates for IDN names. A remote attacker crate a specially crafted certificate that will be considered trusted by the library.

Successful exploitation of the vulnerability requires that curl is built to use OpenSSL, Schannel or Gskit.


11) Improper synchronization (CVE-ID: CVE-2023-28320)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper synchronization when resolving host names using the alarm() and siglongjmp() function. A remote attacker can force the application to crash by influencing contents of the global buffer.


12) Information disclosure (CVE-ID: CVE-2022-27776)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to curl can leak authentication or cookie header data during HTTP redirects to the same host but another port number. When asked to send custom headers or cookies in its HTTP requests, curl sends that set of headers only to the host which name is used in the initial URL, so that redirects to other hosts will make curl send the data to those. However, due to a flawed check, curl wrongly also sends that same set of headers to the hosts that are identical to the first one but use a different port number or URL scheme.

The vulnerability exists due to an incomplete fix for #VU10224 (CVE-2018-1000007).


13) XML External Entity injection (CVE-ID: CVE-2021-22922)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.

Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.


14) Resource exhaustion (CVE-ID: CVE-2022-32206)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insecure processing of compressed HTTP responses. A malicious server can send a specially crafted HTTP response to curl and perform a denial of service attack by forcing curl to spend enormous amounts of allocated heap memory, or trying to and returning out of memory errors.


15) Use-after-free (CVE-ID: CVE-2023-28319)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a use-after-free error when checking the SSH sha256 fingerprint. A remote attacker can use the application to connect to a malicious SSH server, trigger a use-after-free error and gain access to potentially sensitive information.

Successful exploitation of the vulnerability requires usage of the the CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 option, and also CURLOPT_VERBOSE or CURLOPT_ERRORBUFFER options have to be set.


16) Incorrect Implementation of Authentication Algorithm (CVE-ID: CVE-2022-27782)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the way libcurl handles previously used connections in a connection pool for subsequent transfers. Several TLS and SSH settings were left out from the configuration match checks, resulting in erroneous matches for different resources. As a result, libcurl can send authentication string from one resource to another, exposing credentials to a third-party.


17) Cleartext transmission of sensitive information (CVE-ID: CVE-2021-22946)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error, related to incorrect enforcement of the --ssl-reqd option on the command line or CURLOPT_USE_SSL setting set to CURLUSESSL_CONTROL or CURLUSESSL_ALL with libcurl. A remote attacker with control over the IMAP, POP3 or FTP server can send a specially crafted but perfectly legitimate response to the libcurl client and force it silently to continue its operations without TLS encryption and transmit data in clear text over the network.


18) Improper Certificate Validation (CVE-ID: CVE-2021-22926)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to an error in the CURLOPT_SSLCERT option mixup with TLS library Secure Transport. A remote attacker can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake.


19) Infinite loop (CVE-ID: CVE-2022-27781)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when handling requests with the CURLOPT_CERTINFO option. A remote attacker can consume all available system resources and cause denial of service conditions.


20) Improper Authentication (CVE-ID: CVE-2022-22576)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error when re-using OAUTH2 connections for SASL-enabled protocols, such as SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). libcurl may reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. As a result, a connection that is successfully created and authenticated with a user name + OAUTH2 bearer can subsequently be erroneously reused even for user + [other OAUTH2 bearer], even though that might not even be a valid bearer.

A remote attacker can exploit this vulnerability against applications intended for use in multi-user environments to bypass authentication and gain unauthorized access to victim's accounts.



21) Heap-based buffer overflow (CVE-ID: CVE-2023-38545)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the SOCKS5 proxy handshake. A remote attacker can trick the victim to visit a malicious website, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that SOCKS5 proxy is used and that SOCKS5 handshake is slow (e.g. under heavy load or DoS attack).


22) Incorrect default permissions (CVE-ID: CVE-2022-32207)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to incorrect default permissions set to cookies, alt-svc and hsts data stored in local files. A local user with ability to read such files can gain access to potentially sensitive information.


23) Expected behavior violation (CVE-ID: CVE-2022-32221)

The vulnerability allows a remote attacker to force unexpected application behavior.

The vulnerability exists due to a logic error for a reused handle when processing subsequent HTTP PUT and POST requests. The libcurl can erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request, which used that callback. As a result, such behavior can influence application flow and force unpredictable outcome.


24) Heap-based buffer overflow (CVE-ID: CVE-2022-3715)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in valid_parameter_transform() function in GNU bash. A local user can trigger a heap-based buffer overflow and execute arbitrary code on the target system.


Remediation

Install update from vendor's website.

References