SB2023011262 - Multiple vulnerabilities in IBM Cloud Pak for Security (CP4S)
Published: January 12, 2023 Updated: January 22, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 41 secuirty vulnerabilities.
1) Stack-based buffer overflow (CVE-ID: CVE-2021-45958)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in Buffer_AppendIndentUnchecked. A remote unauthenticated attacker can trigger stack-based buffer overflow and cause a denial of service condition on the target system.
2) Stack-based buffer overflow (CVE-ID: CVE-2022-25313)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in build_model. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Resource exhaustion (CVE-ID: CVE-2021-45960)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in the storeAtts() function in xmlparse.c. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
4) Input validation error (CVE-ID: CVE-2022-25236)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper protection against insertion of namesep characters into namespace URIs in xmlparse.c. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
5) Code Injection (CVE-ID: CVE-2022-25235)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the affected application lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
6) Input validation error (CVE-ID: CVE-2022-1271)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation when processing filenames with two or more newlines. A remote attacker can force zgrep or xzgrep to write arbitrary files on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.
7) Incorrect authorization (CVE-ID: CVE-2022-1365)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to exposure of sensitive information due to insecure following of redirects. A remote attacker can force the application to redirect to a malicious website and gain access to authorization cookie.
8) Input validation error (CVE-ID: CVE-2022-31116)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an error when decoding untrusted input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
9) Double Free (CVE-ID: CVE-2022-31117)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when decoding untrusted input. A remote attacker can pass specially crafted data to the application, trigger double free error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
10) Code Injection (CVE-ID: CVE-2021-3918)
The disclosed vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient sanitization of user-supplied data during the validation of a JSON object. A remote attacker can pass a specially crafted JSON file for validation and execute arbitrary code.
11) Integer overflow (CVE-ID: CVE-2021-46143)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in the doProlog() function in xmlparse.c. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
12) Prototype Pollution (CVE-ID: CVE-2020-7608)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and add or modify properties of Object.prototype using a "__proto__" payload.
13) Use-after-free (CVE-ID: CVE-2021-20232)
The vulnerability allows a remote attacker to compromise vulnerable system.
The
vulnerability exists due to a use-after-free error in client_send_params in lib/ext/pre_shared_key.c. A remote attacker can trick the victim to connect
to a malicious server using a large Client Hello message over TLS 1.3,
trigger a use-after-free error and crash the application or execute
arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
14) Use-after-free (CVE-ID: CVE-2021-20231)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in client sending key_share extension. A remote attacker can trick the victim to connect to a malicious server using a large Client Hello message over TLS 1.3, trigger a use-after-free error and crash the application or execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
15) Input validation error (CVE-ID: CVE-2021-3580)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in nettle's RSA decryption functions due to insufficient validation of certain ciphertexts. A remote attacker can send specially crafted data to the server and perform a denial of service (DoS) attack.
16) Cross-site scripting (CVE-ID: CVE-2021-43818)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the HTML Cleaner in lxml.html. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
17) Incorrect Regular Expression (CVE-ID: CVE-2022-33879)
The vulnerability allows a remote attacker to perform DoS attack.
The vulnerability exists due to improper validation in the StandardsExtractingContentHandler. A remote attacker can pass specially crafted file to the application and perform a denial of service (DoS) attack.The vulnerability exists due to incomplete fixes for #VU63404 (CVE-2022-30126) and #VU63904 (CVE-2022-30973).
18) Incorrect Regular Expression (CVE-ID: CVE-2022-30126)
The vulnerability allows a remote attacker to perform DoS attack.
The vulnerability exists due to improper validation in the StandardsText class. A remote attacker can pass specially crafted file to the application and perform a denial of service (DoS) attack.
19) Resource exhaustion (CVE-ID: CVE-2022-25169)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in BPG parser. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
20) Integer overflow (CVE-ID: CVE-2022-25314)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow in copyString. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.
21) Integer overflow (CVE-ID: CVE-2022-22822)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in the addBinding() function in xmlparse.c. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
22) Buffer overflow (CVE-ID: CVE-2022-3602)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing the email address field inside X.509 certificate. A remote attacker can supply a specially crafted certificate to the application, trigger a 4-byte buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that either a CA signs the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.
23) Use of Uninitialized Variable (CVE-ID: CVE-2021-22925)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to usage of uninitialized variable in code, responsible for processing TELNET requests when parsing NEW_ENV variables. A remote attacker can force the affected application to connect to a telnet server under attackers control and read up to 1800 bytes from the uninitialized memory on the libcurl client system.
24) Buffer overflow (CVE-ID: CVE-2022-3786)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The
vulnerability exists due to a boundary error when processing the email
address field length inside a X.509 certificate. A remote attacker can supply a
specially crafted certificate to the application, trigger a buffer overflow and crash the application.
25) Insufficient verification of data authenticity (CVE-ID: CVE-2021-43616)
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient verification of data authenticity in the npm ci command. A remote attacker can exploit the vulnerability to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.
26) Incorrect Implementation of Authentication Algorithm (CVE-ID: CVE-2022-27782)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the way libcurl handles previously used connections in a connection pool for subsequent transfers. Several TLS and SSH settings were left out from the configuration match checks, resulting in erroneous matches for different resources. As a result, libcurl can send authentication string from one resource to another, exposing credentials to a third-party.
27) Information disclosure (CVE-ID: CVE-2022-27776)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to curl can leak authentication or cookie header data during HTTP redirects to the same host but another port number. When asked to send custom headers or cookies in its HTTP requests, curl sends that set of headers only to the host which name is used in the initial URL, so that redirects to other hosts will make curl send the data to those. However, due to a flawed check, curl wrongly also sends that same set of headers to the hosts that are identical to the first one but use a different port number or URL scheme.
The vulnerability exists due to an incomplete fix for #VU10224 (CVE-2018-1000007).
28) Information disclosure (CVE-ID: CVE-2022-27774)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to curl attempts to follow redirects during authentication process and does not consider different port numbers or protocols to be separate authentication targets. If the web application performs redirection to a different port number of protocol, cURL will allow such redirection and will pass credentials. It could also leak the TLS SRP credentials this way.
By default, curl only allows redirects to HTTP(S) and FTP(S), but can be asked to allow redirects to all protocols curl supports.
29) Improper Authentication (CVE-ID: CVE-2022-22576)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error when re-using OAUTH2 connections for SASL-enabled protocols, such as SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). libcurl may reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. As a result, a connection that is successfully created and authenticated with a user name + OAUTH2 bearer can subsequently be erroneously reused even for user + [other OAUTH2 bearer], even though that might not even be a valid bearer.
A remote attacker can exploit this vulnerability against applications intended for use in multi-user environments to bypass authentication and gain unauthorized access to victim's accounts.
30) Use of uninitialized variable (CVE-ID: CVE-2021-22898)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to usage of uninitialized variable in code, responsible for processing TELNET requests when parsing NEW_ENV variables. A remote attacker can force the affected application to connect to a telnet server under attackers control and read up to 1800 bytes from the uninitialized memory on the libcurl client system.
Proof of concept:
curl telnet://example.com -tNEW_ENV=a,bbbbbb (256 'b's)31) Information disclosure (CVE-ID: CVE-2021-22876)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to libcurl does not strip off user credentials from the URL when automatically populating the Referer:
HTTP request header field in outgoing HTTP requests and therefore
risks leaking sensitive data to the server that is the target of the
second HTTP request.
32) Information disclosure (CVE-ID: CVE-2021-23566)
The vulnerability allows a local attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in the valueOf() function. A local attacker can gain unauthorized access to sensitive information on the system.
33) Integer overflow (CVE-ID: CVE-2022-22823)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in the build_model() function in xmlparse.c. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
34) Information disclosure (CVE-ID: CVE-2022-29244)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to npm pack ignores root-level .gitignore and .npmignore file exclusion
directives when run in a workspace or with a workspace flag (ie.
`--workspaces`, `--workspace=
35) Heap-based buffer overflow (CVE-ID: CVE-2019-18218)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the cdf_read_property_info() function in cdf.c in file due to improper restrictions of the number of CDF_VECTOR elements. A local user can place a specially crafted CDF (Composite Document File) file on the system, trick the victim into reading it with the affected software, trigger heap-based buffer overflow (4-byte out-of-bounds write) and execute arbitrary code on the target system with elevated privileges.
36) Integer overflow (CVE-ID: CVE-2022-23852)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
37) Integer overflow (CVE-ID: CVE-2022-25315)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in storeRawNames function. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
38) Integer overflow (CVE-ID: CVE-2022-22827)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in the storeAtts() function in xmlparse.c. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
39) Integer overflow (CVE-ID: CVE-2022-22826)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in the nextScaffoldPart() function in xmlparse.c. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
40) Integer overflow (CVE-ID: CVE-2022-22825)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in the lookup() function in xmlparse.c. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
41) Integer overflow (CVE-ID: CVE-2022-22824)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in the defineAttribute() function in xmlparse.c. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.