SB2024102322 - Multiple vulnerabilities in IBM Storage Scale System

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024102322

SB2024102322 - Multiple vulnerabilities in IBM Storage Scale System

Published: October 23, 2024

Security Bulletin ID SB2024102322
Severity
Low
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) Resource management error (CVE-ID: CVE-2024-36005)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to resource management error within the nft_netdev_event() function in net/netfilter/nft_chain_filter.c. A local user can perform a denial of service (DoS) attack.


2) Improper locking (CVE-ID: CVE-2021-46939)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the trace_clock_global() function in kernel/trace/trace_clock.c. A local user can perform a denial of service (DoS) attack.


3) Reachable Assertion (CVE-ID: CVE-2024-36000)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to reachable assertion within the alloc_huge_page() function in mm/hugetlb.c. A local user can perform a denial of service (DoS) attack.


4) NULL pointer dereference (CVE-ID: CVE-2023-52463)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the efivarfs_get_tree() function in fs/efivarfs/super.c. A local user can perform a denial of service (DoS) attack.


5) Improper locking (CVE-ID: CVE-2024-26925)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the __nf_tables_abort() and nf_tables_abort() functions in net/netfilter/nf_tables_api.c. A local user can perform a denial of service (DoS) attack.


6) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2024-7348)

The vulnerability allows a remote user to escalate privileges within the database.

The vulnerability exists due to a race condition when executing concurrent pg_dump sessions. A remote user with privileges to create and drop non-temporary objects can execute arbitrary SQL commands with the privileges of the role running pg_dump (which is often a superuser).


7) Out-of-bounds read (CVE-ID: CVE-2024-36883)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the net_alloc_generic() and register_pernet_operations() functions in net/core/net_namespace.c. A local user can perform a denial of service (DoS) attack.


8) Out-of-bounds read (CVE-ID: CVE-2024-26665)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the iptunnel_pmtud_build_icmpv6() function in net/ipv4/ip_tunnel_core.c. A local user can perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References