SB2025042446 - Multiple vulnerabilities in IBM Installation Manager and IBM Packaging Utility

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) Memory leak (CVE-ID: CVE-2022-2191)

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when handling incorrect TLS connections. A remote attacker can force the application to leak memory and perform denial of service attack.

2) Resource management error (CVE-ID: CVE-2022-2048)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when handling invalid HTTP/2 requests. A remote attacker can send specially crafted requests to the server and perform a denial of service (DoS) attack.

3) Integer overflow (CVE-ID: CVE-2023-36478)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in MetaDataBuilder.checkSize when handling HTTP/2 HPACK header values. A remote attacker can send specially crafted request to the server, trigger an integer overflow and crash the server.

4) Resource exhaustion (CVE-ID: CVE-2023-44487)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improperly control of consumption for internal resources when handling HTTP/2 requests with compressed HEADERS frames. A remote attacker can send a sequence of compressed HEADERS frames followed by RST_STREAM frames and perform a denial of service (DoS) attack, a.k.a. "Rapid Reset".

Note, the vulnerability is being actively exploited in the wild.

5) Resource exhaustion (CVE-ID: CVE-2024-22201)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 connections. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

6) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-6763)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input in HttpURI. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

7) Resource exhaustion (CVE-ID: CVE-2024-8184)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the ThreadLimitHandler.getRemote() function. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

8) Resource exhaustion (CVE-ID: CVE-2024-9823)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the DoSFilter. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

9) XML External Entity injection (CVE-ID: CVE-2023-4218)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to some files with xml content are parsed vulnerable against all sorts of XXE attacks. A local user can trick the victim into opening a specially crafted XML code and view contents of arbitrary files on the system or initiate requests to external systems.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7231640