SB2024030421 - Multiple vulnerabilities in IBM QRadar Suite Software 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024030421

SB2024030421 - Multiple vulnerabilities in IBM QRadar Suite Software

Published: March 4, 2024 Updated: November 29, 2024

Security Bulletin ID SB2024030421
Severity
High
Patch available
YES
Number of vulnerabilities 20
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 10% Medium 65% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 20 secuirty vulnerabilities.


1) Incorrect default permissions (CVE-ID: CVE-2021-41103)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for container root directories and some plugins. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host can discover, read, and modify those files.


2) Resource exhaustion (CVE-ID: CVE-2023-39325)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive consumption of internal resources when handling HTTP/2 requests. A remote attacker can bypass the http2.Server.MaxConcurrentStreams setting by creating new connections while the current connections are still being processed, trigger resource exhaustion and perform a denial of service (DoS) attack.


3) Incorrect Regular Expression (CVE-ID: CVE-2022-25883)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application via the new Range function and perform regular expression denial of service (ReDos) attack.


4) Improper Authentication (CVE-ID: CVE-2018-16886)

The vulnerability allows a remote user to bypass authentication process.

The vulnerability exists due to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. A remote user can authenticate as user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.


5) Resource management error (CVE-ID: CVE-2020-15106)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources with the application, as a large slice causes panic in decodeRecord method. A remote attacker can  forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.


6) Improper input validation (CVE-ID: CVE-2018-1099)

The vulnerability allows a remote unauthenticated attacker to bypass security restrictions on the target system.

The weakness exists due to improper validation of DNS hostnames. A remote attacker can send specially crafted requests, bypass security restrictions and gain network access to internal systems.

7) Incorrect Regular Expression (CVE-ID: CVE-2017-16137)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


8) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2023-42282)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input within the isPublic() function. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.


9) Path traversal (CVE-ID: CVE-2024-23334)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in aiohttp.web.static(follow_symlinks=True). A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Request examples:

For windows: /static/../D:\flag.txt Poc

For Linux: /static/../../../../etc/passwd



10) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2024-23829)

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.


11) Improper Privilege Management (CVE-ID: CVE-2023-25173)

The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to improper privilege management where supplementary groups are not set up properly inside a container. A local user can use supplementary group access to bypass primary group restrictions and compromise the container.


12) Resource exhaustion (CVE-ID: CVE-2022-31030)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the ExecSync API. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


13) Resource exhaustion (CVE-ID: CVE-2022-23471)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in containerd CRI stream server when handling terminal resize events. A remote user can request a TTY and force it to fail by sending a faulty command and exhaust memory on the host.


14) Resource exhaustion (CVE-ID: CVE-2023-25153)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when importing an OCI image. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


15) Resource management error (CVE-ID: CVE-2021-21334)

The vulnerability allows an attacker to gain access to potentially sensitive information.

The vulnerability exists due to incorrect management of internal resources. Containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared.

16) Security restrictions bypass (CVE-ID: CVE-2022-23648)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error when handling specially crafted image configuration in containerd where containers launched through containerd’s CRI implementation. A remote attacker can bypass any policy-based enforcement on container setup and access the read-only copies of arbitrary files and directories on the host.


17) Security restrictions bypass (CVE-ID: CVE-2021-43816)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a logic issue, which causes arbitrary files and directories on the host to be relabeled to match the container process label through the use of specially-configured bind mounts in a hostPath volume. A local user can place the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf` and gain read/write access to arbitrary file on the system.

The vulnerability affects containerd installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS.


18) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-32760)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to archive package allows chmod of file outside of unpack target directory. A remote attacker can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky.


19) Deserialization of Untrusted Data (CVE-ID: CVE-2023-47248)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized  Arrow IPC, Feather or Parquet data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


20) Inefficient regular expression complexity (CVE-ID: CVE-2024-24762)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing value of the "Content-Type" HTTP header with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


Remediation

Install update from vendor's website.

References