SB2022082239 - Multiple vulnerabilities in IBM Spectrum Control

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) OS Command Injection (CVE-ID: CVE-2022-2068)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the c_rehash script distributed by some operating systems. A remote attacker with ability to pass data to c_rehash script can and execute arbitrary OS commands with the privileges of the script.

The vulnerability exists due to incomplete fix for #VU62765 (CVE-2022-1292).

2) Missing Encryption of Sensitive Data (CVE-ID: CVE-2022-2097)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error in AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation. Under specific circumstances OpenSSL does not encrypt the entire message and can reveal sixteen bytes of data that was preexisting in the memory that wasn't written. A remote attacker can gain access to potentially sensitive information.

3) Improper Authentication (CVE-ID: CVE-2022-22475)

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to an unspecified error. A remote authenticated user can spoof identity of other application users.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-control-is-vulnerable-to-multiple-weaknesses-related-to-ibm-websphere-application-server-liberty-and-openssl-cve-2022-2068-cve-2022-2097-cve-2022-22475/"
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-control-is-vulnerable-to-multiple-weaknesses-related-to-ibm-websphere-application-server-liberty-and-openssl-cve-2022-2068-cve-2022-2097-cve-2022-22475/</a></p><p>
• https://www.ibm.com/support/pages/node/6613565</p><p><br></p>