SB2021120330 - Multiple Vulnerabilities in IBM Cloud Pak for Multicloud Management 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021120330

SB2021120330 - Multiple Vulnerabilities in IBM Cloud Pak for Multicloud Management

Published: December 3, 2021

Security Bulletin ID SB2021120330
Severity
High
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 25% Medium 50% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Out-of-bounds write (CVE-ID: CVE-2021-23994)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input within the WebGL framebuffer. A remote attacker can create a specially crafted web page, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.


2) Insecure Inherited Permissions (CVE-ID: CVE-2021-23998)

the vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to the way HTTP pages inherit a secure lock icon, when navigating from an HTTP page. A remote attacker can create a specially crafted webpage that through a series of complicated navigation will force the browser to display a secure lock icon on an unencrypted HTTP page.


3) Insecure Inherited Permissions (CVE-ID: CVE-2021-23999)

the vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to the way Firefox handles Blob URLs. If a Blob URL was loaded through some unusual user interaction, it could have been loaded by the System Principal and granted additional privileges that should not be granted to web content.


4) Input validation error (CVE-ID: CVE-2021-29946)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input. Ports that were written as an integer overflow above the bounds of a 16-bit integer could have bypassed port blocking restrictions when used in the Alt-Svc header.


Remediation

Install update from vendor's website.

References