SB2024100832 - Multiple vulnerabilities in IBM Business Automation Manager Open Editions
Published: October 8, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 19 secuirty vulnerabilities.
1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2023-43642)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to missing upper bound check on chunk length. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
2) Improper input validation (CVE-ID: CVE-2023-22102)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Connector/J component in MySQL Connectors. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
3) Integer overflow (CVE-ID: CVE-2023-34454)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow in compress. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.
4) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2023-44483)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to software stores sensitive information into log files when using the JSR 105 API. A remote user can obtain a private key when generating an XML Signature with debug level enabled.
5) Path traversal (CVE-ID: CVE-2024-1459)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
6) Incorrect provision of specified functionality (CVE-ID: CVE-2024-4032)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists within the "ipaddress" module that contains incorrect information and private and public IP addresses for IPv4 and IPv6 protocols. This affects the is_private and is_global properties of the
ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and
ipaddress.IPv6Network classes. A remote attacker can bypass implemented security restrictions based on IP addresses or perform other actions, depending on the application's capabilities.
7) Command Injection (CVE-ID: CVE-2024-6923)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to insufficient validation of newlines for email headers when
serializing an email message. A remote attacker can inject arbitrary headers into serialized email messages.
8) Incorrect Regular Expression (CVE-ID: CVE-2024-6232)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of .tar archives when processing it with regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
9) Resource exhaustion (CVE-ID: CVE-2023-34462)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources if no idle timeout handler was configured. A remote attacker can send a client hello packet, which leads the server to buffer up to 16MB of data per connection and results in a denial of service condition.
10) Resource exhaustion (CVE-ID: CVE-2023-34455)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
11) Use of Potentially Dangerous Function (CVE-ID: CVE-2024-39331)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function. A remote attacker can execute arbitrary OS commands on the system.
12) Insufficient verification of data authenticity (CVE-ID: CVE-2024-30205)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to Emacs in Org mode considers contents of remote files to be trusted. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code on the system.
13) Insufficient verification of data authenticity (CVE-ID: CVE-2024-30203)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to Gnus treats inline MIME contents as trusted. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code on the system.14) Integer overflow (CVE-ID: CVE-2024-45492)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow within the nextScaffoldPart() function in xmlparse.c. A remote attacker can pass specially crafted data to the application, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
15) Integer overflow (CVE-ID: CVE-2024-45491)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow within the dtdCopy() function in xmlparse.c. A remote attacker can pass specially crafted input to the application, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
16) Buffer Underwrite ('Buffer Underflow') (CVE-ID: CVE-2024-45490)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a boundary error in xmlparse.c when handling negative length for XML_ParseBuffer. A remote attacker can pass specially crafted input to the application, trigger buffer underflow and execute arbitrary code on the system.
17) Improper input validation (CVE-ID: CVE-2021-22570)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Compiling (protobuf) component in MySQL Server. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.
18) Resource management error (CVE-ID: CVE-2022-26336)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the HMEF package. A remote attacker can pass specially crafted TNEF file to the application and perform a denial of service (DoS) attack.
19) Integer overflow (CVE-ID: CVE-2023-34453)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow in shuffle. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.
Remediation
Install update from vendor's website.