SB2022110923 - Denial of service in IBM Operations Analytics
Published: November 9, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Resource management error (CVE-ID: CVE-2021-22569)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application. protobuf-java allowes the interleaving of
com.google.protobuf.UnknownFieldSet fields in such a way that would be
processed out of order. A small malicious payload can occupy the parser
for several minutes by creating large numbers of short-lived objects
that cause frequent, repeated pauses. A remote attacker can trick the victim into passing specially crafted data to the application and perform a denial of service attack.
Remediation
Install update from vendor's website.
References
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-from-google-protocol-buffer-affect-ibm-operations-analytics-log-analysis-cve-2021-22569/"
- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-from-google-protocol-buffer-affect-ibm-operations-analytics-log-analysis-cve-2021-22569/</a><br>
- https://www.ibm.com/support/pages/node/6837601<br><br></p>