SB2022072613 - Improper Verification of Cryptographic Signature in IBM Cloud Automation Manager
Published: July 26, 2022
Security Bulletin ID
SB2022072613
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2022-24773)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. A remote unauthenticated attacker can get a successful verification with signatures that contain invalid structures but a valid digest
Remediation
Install update from vendor's website.
References
- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-node-forge-affects-ibm-cloud-automation-manager-3/"
- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-node-forge-affects-ibm-cloud-automation-manager-3/</a><br><a
- https://www.ibm.com/support/pages/node/6606921"
- https://www.ibm.com/support/pages/node/6606921</a><br><br><br></p>