SB2023022737 - Multiple vulnerabilities in IBM Tivoli Network Manager (ITNM)
Published: February 27, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) XML External Entity injection (CVE-ID: CVE-2020-25649)
The vulnerability allows a remote attacker to modify information on the system.
The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and modify information on the system.
2) Resource management error (CVE-ID: CVE-2021-22569)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application. protobuf-java allowes the interleaving of
com.google.protobuf.UnknownFieldSet fields in such a way that would be
processed out of order. A small malicious payload can occupy the parser
for several minutes by creating large numbers of short-lived objects
that cause frequent, repeated pauses. A remote attacker can trick the victim into passing specially crafted data to the application and perform a denial of service attack.
3) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2021-38153)
The vulnerability allows a local user to escalate privileges on the system.
the vulnerability exists due to some components in Apache Kafka use "Arrays.equals" to validate a password or key, which is vulnerable to timing attacks. A local user can abuse the "Arrays.equals" to brute force access credentials and escalate privileges on the system.
Remediation
Install update from vendor's website.