SB2024040818 - Multiple vulnerabilities in IBM Application Performance Management 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024040818

SB2024040818 - Multiple vulnerabilities in IBM Application Performance Management

Published: April 8, 2024

Security Bulletin ID SB2024040818
Severity
High
Patch available
YES
Number of vulnerabilities 41
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 20% Medium 66% Low 15%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 41 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2022-3510)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Policy (Google Protobuf-Java) component in Oracle Communications Cloud Native Core Policy. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.


2) Resource exhaustion (CVE-ID: CVE-2023-40692)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources under extreme stress conditions. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


3) Resource exhaustion (CVE-ID: CVE-2023-40687)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can send a specially crafted RUNSTATS command on an 8TB table and perform a denial of service (DoS) attack.


4) SQL injection (CVE-ID: CVE-2023-38727)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.


5) Improper access control (CVE-ID: CVE-2023-38003)

The vulnerability allows a remote privileged user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user with DATAACCESS privileges can execute routines that they should not have access to.


6) Uncontrolled Recursion (CVE-ID: CVE-2023-1370)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion when processing nested arrays and objects. A remote attacker can pass specially crafted JSON data to the application and perform a denial of service (DoS) attack.


7) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2023-43642)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to missing upper bound check on chunk length. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


8) Resource exhaustion (CVE-ID: CVE-2023-34462)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources if no idle timeout handler was configured. A remote attacker can send a client hello packet, which leads the server to buffer up to 16MB of data per connection and results in a denial of service condition.


9) Input validation error (CVE-ID: CVE-2023-32731)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input when parsing HTTP2 requests. When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. This could lead to requests from the proxy being interpreted as containing headers from different proxy clients, leading to an information leak that can be used for privilege escalation or data exfiltration.


10) Buffer overflow (CVE-ID: CVE-2023-39976)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in log_blackbox.c. A remote attacker can send an overly long log message tp the application, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


11) Double Free (CVE-ID: CVE-2002-0059)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can pass specially crafted data to the application, trigger double free error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


12) Resource exhaustion (CVE-ID: CVE-2023-40373)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack with a specially crafted query containing common table expressions.


13) SQL injection (CVE-ID: CVE-2023-40372)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.


14) Resource exhaustion (CVE-ID: CVE-2023-30987)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


15) Resource exhaustion (CVE-ID: CVE-2023-38719)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack during database deactivation on DPF.


16) SQL injection (CVE-ID: CVE-2023-38740)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.


17) Resource exhaustion (CVE-ID: CVE-2023-30991)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can send a specially crafted query to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.


18) Resource exhaustion (CVE-ID: CVE-2023-38720)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can send a specially crafted ALTER TABLE statement, trigger resource exhaustion and perform a denial of service (DoS) attack.


19) Resource exhaustion (CVE-ID: CVE-2023-40374)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can send a specially crafted query statement, trigger resource exhaustion and perform a denial of service (DoS) attack.


20) Resource exhaustion (CVE-ID: CVE-2023-38728)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can send a specially crafted XML query statement, trigger resource exhaustion and perform a denial of service (DoS) attack.


21) Heap-based buffer overflow (CVE-ID: CVE-2022-37434)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing a large gzip header within inflateGetHeader in inflate.c. A remote attacker can pass a specially crafted file to the affected application, trigger heap-based buffer overflow and execute arbitrary code on the target system.



22) Resource exhaustion (CVE-ID: CVE-2023-43020)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote user can send a specially crafted query and perform a denial of service (DoS) attack.


23) Use of uninitialized resource (CVE-ID: CVE-2015-8390)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to usage of uninitialized resources when processing the [: and \ substrings in character classes. A remote attacker can pass specially crafted data to the application, trigger uninitialized usage of resources and bypass implemented security mechanisms.


24) Buffer overflow (CVE-ID: CVE-2015-8383)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to PCRE mishandles certain repeated conditional groups. A remote attacker can cause a denial of service (buffer overflow) or possibly have an unspecified other impact via a crafted regular expression.


25) Heap-based buffer overflow (CVE-ID: CVE-2015-8381)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the compile_regex() function in pcre_compile.c in PCRE when handling related patterns with certain group references. A remote attacker can use a crafted regular expression to trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


26) Buffer overflow (CVE-ID: CVE-2015-8386)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing regular expressions. A remote attacker can trigger memory corruption using a JavaScript RegExp object and execute arbitrary code on the target system.


27) Buffer overflow (CVE-ID: CVE-2015-8388)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to PCRE mishandles the /(?=di(?<=(?1))|(?=(.))))/ pattern and related patterns with an unmatched closing parenthesis. A remote attacker can cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression.


28) Buffer overflow (CVE-ID: CVE-2015-8385)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to PCRE mishandles the /(?|(k&#039;Pm&#039;)|(?&#039;Pm&#039;))/ pattern and related patterns with certain forward references. A remote attacker can create a specially crafted Office document, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.


29) Integer overflow (CVE-ID: CVE-2015-8387)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to PCRE mishandles (?123) subroutine calls and related subroutine calls. A remote attacker can cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression.


30) Buffer overflow (CVE-ID: CVE-2015-8391)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due pcre_compile function in pcre_compile.c in PCRE mishandles certain [: nesting. A remote attacker can cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression.


31) Information disclosure (CVE-ID: CVE-2015-8393)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to pcregrep in PCRE mishandles the -q option for binary files. A remote attacker can gain unauthorized access to sensitive information on the system.


32) Resource exhaustion (CVE-ID: CVE-2023-47701)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can send a specially crafted query, trigger resource exhaustion and perform a denial of service (DoS) attack.


33) Buffer overflow (CVE-ID: CVE-2015-8395)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to PCRE mishandles certain references. A remote attacker can cause a denial of service or possibly have unspecified other impact via a crafted regular expression.


34) Integer overflow (CVE-ID: CVE-2015-8394)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow when processing the (?() and (?(R) conditions. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.



35) Data Handling (CVE-ID: CVE-2015-2328)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to PCRE mishandles the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion. A remote attacker can cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression.


36) Buffer overflow (CVE-ID: CVE-2015-2327)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to PCRE mishandles the /(((a2)|(a*)g<-1>))*/ pattern and related patterns with certain internal recursive back references. A remote attacker can cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression.


37) Integer overflow (CVE-ID: CVE-2020-14155)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow. A remote attacker can pass a large number after a (?C substring, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


38) Buffer overflow (CVE-ID: CVE-2015-8392)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to PCRE mishandles certain instances of the (?| substring. A remote attacker can cause a denial of service (unintended recursion and buffer overflow) or possibly have unspecified other impact via a crafted regular expression.


39) Resource exhaustion (CVE-ID: CVE-2023-29258)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can send a specially crafted federated query on specific federation objects and perform a denial of service (DoS) attack.


40) Resource exhaustion (CVE-ID: CVE-2023-45178)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion with a specially crafted request and perform a denial of service (DoS) attack.


41) Resource exhaustion (CVE-ID: CVE-2023-46167)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when a specially crafted cursor is used. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References