SB2022122738 - Multiple vulnerabilities in IBM Spectrum Copy Data Management

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2022-39399)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Networking component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

2) Improper input validation (CVE-ID: CVE-2022-21619)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

3) Improper input validation (CVE-ID: CVE-2022-21624)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the JNDI component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-2625)

The vulnerability allows a remote user to escalate privileges within the database.

The vulnerability exists due to extension scripts can replace objects that do not belong to the extension when using the CREATE OR REPLACE or CREATE IF NOT EXISTS commands. A remote user with (1) permissions to create non-temporary objects in at least one schema, (2) ability to lure or wait for an administrator to create or update an affected extension in that schema, and (3) ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS can run arbitrary code as the victim role.

5) Out-of-bounds write (CVE-ID: CVE-2022-40149)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing untrusted XML or JSON data. A remote attacker can pass specially crafted input to the application, trigger an out-of-bounds write and perform a denial of service (DoS) attack.

6) Improper input validation (CVE-ID: CVE-2022-21628)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Lightweight HTTP Server component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

7) Improper input validation (CVE-ID: CVE-2022-21618)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the JGSS component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

8) Resource exhaustion (CVE-ID: CVE-2022-40150)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing untrusted XML or JSON data. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

9) Improper input validation (CVE-ID: CVE-2022-21626)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/6845948