SB2023102413 - Multiple vulnerabilities in IBM QRadar User Behavior Analytics

Description

This security bulletin contains information about 38 secuirty vulnerabilities.

1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2020-7764)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to web cache poisoning attack when accepting the Accept-Version header by default. A remote attacker can send a specially crafted HTTP request to the server to cause a denial of service condition.

2) Incorrect Regular Expression (CVE-ID: CVE-2022-37599)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input passed via the resourcePath variable to  interpolateName() function in interpolateName.js. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

3) Prototype pollution (CVE-ID: CVE-2022-24999)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and perform a denial of service (DoS) attack.

4) Absolute Path Traversal (CVE-ID: CVE-2021-32803)

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to a logic issue when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the node-tar directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where node-tar checks for symlinks occur.

By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.

5) Path traversal (CVE-ID: CVE-2021-37712)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when extracting tar files that contained two directories and a symlink with names containing unicode values that normalized to the same value. A remote attacker can create a specially crafted archive that, when extracted, can overwrite arbitrary files on the system.

6) Path traversal (CVE-ID: CVE-2021-37701)

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to input validation error when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. A remote attacker can create a specially crafted archive and overwrite arbitrary files on the system.

7) Path traversal (CVE-ID: CVE-2021-37713)

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due insufficient logic on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as C:some\path. If the drive letter does not match the extraction target, for example D:\extraction\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory.

8) Absolute Path Traversal (CVE-ID: CVE-2021-32804)

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to a logic issue when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite.

9) Incorrect Regular Expression (CVE-ID: CVE-2021-23364)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

10) Inefficient regular expression complexity (CVE-ID: CVE-2021-23382)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions within the getAnnotationURL() and loadAnnotation() functions in lib/previous-map.js. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

11) Incorrect regular expression (CVE-ID: CVE-2022-25758)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions in loadAnnotation() function. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

12) Incorrect Regular Expression (CVE-ID: CVE-2021-23362)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expression "shortcutMatch" in the "fromUrl" function. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

13) Inefficient regular expression complexity (CVE-ID: CVE-2021-23368)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing source map with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

14) Code Injection (CVE-ID: CVE-2021-3918)

The disclosed vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient sanitization of user-supplied data during the validation of a JSON object. A remote attacker can pass a specially crafted JSON file for validation and execute arbitrary code.

15) Incorrect Regular Expression (CVE-ID: CVE-2021-29060)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when the application is provided and checks a crafted invalid HWB string. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

16) Inefficient regular expression complexity (CVE-ID: CVE-2022-25901)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions within the Cookie.parse function. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

17) Command Injection (CVE-ID: CVE-2021-42740)

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation in the regex designed to support Windows drive letters before passing it into the exec() call. A remote attacker can pass specially crafted payload to the application and execute arbitrary code on the system.

18) Input validation error (CVE-ID: CVE-2021-3807)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when matching crafted invalid ANSI escape codes in ansi-regex. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

19) Incorrect Regular Expression (CVE-ID: CVE-2022-25927)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation passed via the trim() function. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

20) Prototype pollution (CVE-ID: CVE-2020-15366)

The disclosed vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary script code.

21) NULL pointer dereference (CVE-ID: CVE-2018-20190)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp. A remote attacker can trick the victim into opening a specially crafted sass input file and perform a denial of service (DoS) attack.

22) Out-of-bounds read (CVE-ID: CVE-2019-6283)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in Sass::Prelexer::parenthese_scope in prelexer.hpp. A remote attacker can pass specially specially crafted data to the application, trigger out-of-bounds read error and read contents of memory on the system.

23) Uncontrolled Recursion (CVE-ID: CVE-2018-20821)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp. A remote attacker can trigger the vulnerability and gain access to potentially sensitive information.

24) Out-of-bounds read (CVE-ID: CVE-2018-11698)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in the function Sass::handle_error. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.

25) Improper Certificate Validation (CVE-ID: CVE-2020-24025)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to certificate validation is disabled when requesting binaries even if the user is not specifying an alternative download path. A remote attacker can perform MitM attack and compromise the affected application.

26) Stack-based buffer overflow (CVE-ID: CVE-2018-19838)

The vulnerability allows a remote attacker to cause DoS condition.

The vulnerability exists due to stack-based buffer overflow in functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy(). A remote attacker can send a specially crafted sass file, trigger memory corruption and cause the service to crash.

27) NULL pointer dereference (CVE-ID: CVE-2018-11694)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the function Sass::Functions::selector_append. A remote attacker can trick the victim into opening specially crafted data and perform a denial of service (DoS) attack.

28) Use-after-free (CVE-ID: CVE-2018-19827)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.

29) Out-of-bounds read (CVE-ID: CVE-2019-6286)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(). A remote attacker can pass specially specially crafted data to the application, trigger out-of-bounds read error and read contents of memory on the system.

30) Incorrect Regular Expression (CVE-ID: CVE-2021-23343)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation in splitDeviceRe, splitTailRe, and splitPathRe regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

31) Out-of-bounds read (CVE-ID: CVE-2019-6284)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in Sass::Prelexer::alternatives in prelexer.hpp. A remote attacker can pass specially specially crafted data to the application, trigger out-of-bounds read error and read contents of memory on the system.

32) Heap-based buffer over-read (CVE-ID: CVE-2018-19839)

The vulnerability allows a remote attacker to cause DoS condition.

The vulnerability exists due to heap-based buffer over-read in the function handle_error in sass_context.cpp. A remote attacker can send a specially crafted sass file, trigger memory corruption and cause the service to crash.

33) NULL pointer dereference (CVE-ID: CVE-2018-19797)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via a crafted sass input file.

34) Prototype pollution (CVE-ID: CVE-2022-37601)

The disclosed vulnerability allows a remote attacker to perform prototype pollution attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the parseQuery() function in parseQuery.js. A remote attacker can inject and execute arbitrary JavaScript code.

35) Incorrect Regular Expression (CVE-ID: CVE-2022-37603)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing URL within the interpolateName() function in interpolateName.js. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

36) Prototype pollution (CVE-ID: CVE-2021-39227)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code.

The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.

37) Incorrect Regular Expression (CVE-ID: CVE-2021-3765)

The vulnerability allows a remote attacker to perform a regular expression denial of service (ReDoS) attack.

The vulnerability exists due to improper input validation when handling user-supplied input. A remote attacker can pass specially crafted data to the application and perform a regular expression denial of service (ReDoS) attack.

38) Incorrect Regular Expression (CVE-ID: CVE-2022-31129)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of user-supplied input when parsing overly long strings. A remote attacker can pass a string that contains more that 10k characters and perform regular expression denial of service (ReDoS) attack.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/6967283