SB2024072414 - Multiple vulnerabilities in IBM Storage Defender - Resiliency Service

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2023-45288)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single HTTP/2 stream. A remote attacker can send specially crafted HTTP/2 requests to the server and perform a denial of service (DoS) attack.

2) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2024-25031)

The vulnerability allows a remote attacker in adjacent network to gain access to potentially sensitive information.

The vulnerability exists due to usage of an inadequate account lockout setting. A remote attacker in adjacent network can brute force account credentials to gain unauthorized access to sensitive information on the system.

3) Observable Response Discrepancy (CVE-ID: CVE-2024-38322)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to agent username and password error response discrepancy. A remote user can gain unauthorized access to sensitive information on the system.

4) Prototype pollution (CVE-ID: CVE-2024-33883)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation. A remote attacker can add or modify properties of Object.prototype using a __proto__ or constructor payload to execute arbitrary code on the system.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7158446