SB2025021478 - Multiple vulnerabilities in IBM Operational Decision Manager

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Authentication Bypass by Spoofing (CVE-ID: CVE-2024-51504)

The vulnerability allows a remote attacker to bypass IP-based authentication.

The vulnerability exists due to IPAuthenticationProvider is using the X-Forwarded-For HTTP  header when authenticated users by IP address in the Admin Server. A remote attacker can pass a trusted IP addresses via the X-Forwarded-For HTTP  header and gain unauthorized access to the application.

2) Resource management error (CVE-ID: CVE-2024-47535)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an unsafe reading of an environment file on Windows. A local user can create an overly large file and perform a denial of service (DoS) attack.

3) Improper Authorization (CVE-ID: CVE-2024-38827)

The vulnerability allows a remote attacker to bypass authorization.

The vulnerability exists due to presence of Locale dependent exceptions when using String.toLowerCase() and String.toUpperCase() for string comparison. A remote attacker can bypass authorization rules using specially crafted input.

Note, the vulnerability is related to #VU98795 (CVE-2024-38820).

4) Improper Authorization (CVE-ID: CVE-2024-38821)

The vulnerability allows a remote attacker to bypass authorization.

The vulnerability exists due to improper implementation of authorization checks when accessing static resources in WebFlux application. A remote non-authenticated attacker can bypass authorization process and gain unauthorized access to the application.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7183331