SB2023071921 - Multiple vulnerabilities in IBM Cloud Pak System 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023071921

SB2023071921 - Multiple vulnerabilities in IBM Cloud Pak System

Published: July 19, 2023

Security Bulletin ID SB2023071921
Severity
High
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 13% Medium 50% Low 38%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) Incorrect regular expression (CVE-ID: CVE-2021-23346)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


2) Information disclosure (CVE-ID: CVE-2022-0536)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to sensitive information on the system.


3) Information disclosure (CVE-ID: CVE-2022-0155)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to sensitive information on the system.


4) Information disclosure (CVE-ID: CVE-2018-6594)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the ElGamal implementation in PyCrypto due to generation of weak ElGamal key parameters by the source code in the lib/Crypto/PublicKey/ElGamal.py file. A remote attacker can gain access to potentially sensitive information.

5) Cryptographic issues (CVE-ID: CVE-2013-1445)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a child process is created and accesses the PRNG within the same rate-limit period as another process.


6) Cryptographic issues (CVE-ID: CVE-2012-2417)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

PyCrypto before 2.6 does not produce appropriate prime numbers when using an ElGamal scheme to generate a key, which reduces the signature space or public key space and makes it easier for attackers to conduct brute force attacks to obtain the private key.


7) Buffer overflow (CVE-ID: CVE-2013-7459)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py.


8) Incorrect regular expression (CVE-ID: CVE-2021-3803)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


Remediation

Install update from vendor's website.

References