SB2023060110 - Multiple vulnerabilities in IBM Edge Application Manager 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023060110

SB2023060110 - Multiple vulnerabilities in IBM Edge Application Manager

Published: June 1, 2023

Security Bulletin ID SB2023060110
Severity
Medium
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 75% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2022-3171)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input containing multiple instances of non-repeated embedded messages with repeated or unknown fields. A remote attacker can cause objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.


2) Input validation error (CVE-ID: CVE-2022-3509)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when parsing textformat data. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


3) Improper input validation (CVE-ID: CVE-2022-3510)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Policy (Google Protobuf-Java) component in Oracle Communications Cloud Native Core Policy. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.


4) Improper Preservation of Permissions (CVE-ID: CVE-2023-28642)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper preservation of permissions in the AppArmor and SELinux when /proc inside the container is symlinked with a specific mount configuration. A remote attacker can gain access to the target application.


5) Improper Preservation of Permissions (CVE-ID: CVE-2023-25809)

The vulnerability allows a local user to compromise the target system.

The vulnerability exists due to the rootless "/sys/fs/cgroup" is writable when cgroupns is not unshared. A local administrator can gain the write access to user-owned cgroup hierarchy "/sys/fs/cgroup/user.slice/..." on the host.


6) Improper Privilege Management (CVE-ID: CVE-2023-25173)

The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to improper privilege management where supplementary groups are not set up properly inside a container. A local user can use supplementary group access to bypass primary group restrictions and compromise the container.


7) Resource exhaustion (CVE-ID: CVE-2022-23471)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in containerd CRI stream server when handling terminal resize events. A remote user can request a TTY and force it to fail by sending a faulty command and exhaust memory on the host.


8) Resource exhaustion (CVE-ID: CVE-2023-25153)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when importing an OCI image. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References