SB2025060628 - Multiple vulnerabilities in IBM Observability with Instana (OnPrem)
Published: June 6, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 34 secuirty vulnerabilities.
1) Improper authentication (CVE-ID: CVE-2024-12797)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to an error when using RFC7250 Raw Public Keys (RPKs) to authenticate a server. TLS and DTLS connections using raw public keys are vulnerable to man-in-middle attacks when server authentication failure is not detected by clients.
Note, the vulnerability can be exploited only when TLS clients explicitly enable RPK use by the server, and the server, likewise, enables sending of an RPK instead of an X.509 certificate chain.
2) Out-of-bounds read (CVE-ID: CVE-2023-29934)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the component mlir::Type::getDialect(). A remote attacker can trigger an out-of-bounds read error and cause a denial of service condition on the system.
3) Resource exhaustion (CVE-ID: CVE-2024-31852)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to LLVM generates code in which the LR register can be overwritten without data being saved to the stack, and thus there can sometimes be an exploitable error in the flow of control. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
4) Out-of-bounds read (CVE-ID: CVE-2023-29939)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the component mlir::spirv::TargetEnv::TargetEnv(mlir::spirv::TargetEnvAttr). A remote attacker can trigger an out-of-bounds read error and cause a denial of service condition on the system.
5) Out-of-bounds read (CVE-ID: CVE-2023-29933)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the component mlir::Block::getArgument. A remote attacker can trigger an out-of-bounds read error and cause a denial of service condition on the system.
6) Reachable assertion (CVE-ID: CVE-2023-29935)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to assertion failure at !replacements.count(op) && "operation was already replaced in the commit a0138390. A remote attacker can exploit the vulnerability to perform a denial of service attack
7) Stack-based buffer overflow (CVE-ID: CVE-2024-8176)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when handling XML content. A remote attacker can pass specially crafted XML content to the application, trigger a stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
8) Improper input validation (CVE-ID: CVE-2024-21235)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
9) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-24806)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input when handling hostnames longer than 256 characters within the uv_getaddrinfo() function in src/unix/getaddrinfo.c and its windows counterpart src/win/getaddrinfo.c. A remote attacker can pass a specially crafted hostname to the application, which can be resolved to an attacker controlled IP address and initiate unauthorized requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
10) Missing authorization (CVE-ID: CVE-2025-22235)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The
vulnerability exists due to an error in EndpointRequest.to()
implementation. The function creates a matcher for null/** if the
actuator endpoint, for which the EndpointRequest has been created, is
disabled or not exposed. A remote non-authenticated attacker can gain
unauthorized access to the application.
11) Resource exhaustion (CVE-ID: CVE-2025-32907)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
12) Configuration (CVE-ID: CVE-2025-27820)
The issue may allow a remote attacker to bypass security restrictions.
The issue exists due to an error in PSL validation logic that disables domain checks, affecting cookie management and host name verification. A remote attacker can gain unauthorized access to sensitive information.
13) Improper access control (CVE-ID: CVE-2024-23944)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in persistent watchers. A remote user can bypass implemented security restrictions and obtain user names or login identifiers.
14) Use-after-free (CVE-ID: CVE-2024-56171)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the xmlSchemaIDCFillNodeTables() and xmlSchemaBubbleIDCNodeTables() functions in xmlschemas.c. A remote attacker can pass specially crafted XML document to the application, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
15) Stack-based buffer overflow (CVE-ID: CVE-2025-24928)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the xmlSnprintfElements() function in valid.c. A remote attacker can pass specially crafted XML data to the application, trigger a stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
16) Memory corruption (CVE-ID: CVE-2017-9047)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists in the xmlSnprintfElementContent function of XMLSoft libxml2 due to improper memory handling by the valid.c source code. A remote attacker can send a specially crafted XML file, trigger memory corruption and cause the service to crash.
Successful exploitation of the vulnerability results in denial of service.
17) Out-of-bounds read (CVE-ID: CVE-2023-29942)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A local user can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
18) Improper input validation (CVE-ID: CVE-2024-21217)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Serialization component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
19) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-37967)
The vulnerability allows a remote administrator to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in Kerberos, which leads to security restrictions bypass and privilege escalation.
20) Unchecked Return Value (CVE-ID: CVE-2023-6918)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to libssh does not check for returned values of message digest (MD) operations in low memory conditions. A remote attacker can terminate the connection or force the library to use weak keys.
21) Resource exhaustion (CVE-ID: CVE-2024-22201)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 connections. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
22) Use-after-free (CVE-ID: CVE-2022-49043)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the xmlXIncludeAddNode() function in xinclude.c. A remote attacker can pass specially crafted XML input to the application, trigger a use-after-free error and crash the application or potentially execute arbitrary code.
23) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2023-33953)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
24) Input validation error (CVE-ID: CVE-2024-7246)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to insufficient validation of HTTP/2 headers. A remote attacker can send a series of HTTP/2 requests to the application and gain access to sensitive information or perform spoofing attack.
25) Input validation error (CVE-ID: CVE-2023-32732)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and cause a termination of connection between a HTTP2 proxy and a gRPC server.
26) Memory leak (CVE-ID: CVE-2024-26462)
The vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak in /krb5/src/kdc/ndr.c. A remote attacker can force the application to leak memory and perform denial of service attack.
27) Incorrect authorization (CVE-ID: CVE-2024-27309)
The vulnerability allows a remote attacker to gain access to sensitive information and modify data on the system.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can gain access to sensitive information and modify data on the system.
28) Heap-based buffer overflow (CVE-ID: CVE-2025-31115)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the lzma_stream_decoder_mt() function. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
29) Resource management error (CVE-ID: CVE-2024-57699)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when handling a specially crafted JSON input. A remote attacker can pass a large number of ’{’ characters to the application and perform a denial of service (DoS) attack.
Note, the vulnerability exists due to incomplete fix for #VU75044 (CVE-2023-1370).
30) Uncontrolled Recursion (CVE-ID: CVE-2023-1370)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to uncontrolled recursion when processing nested arrays and objects. A remote attacker can pass specially crafted JSON data to the application and perform a denial of service (DoS) attack.
31) Resource exhaustion (CVE-ID: CVE-2023-52428)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of user requests by the PasswordBasedDecrypter (PBKDF2) component. A remote attacker can send a specially crafted request using a large JWE p2c header, trigger resource exhaustion and perform a denial of service (DoS) attack.
32) Inefficient regular expression complexity (CVE-ID: CVE-2025-27789)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
33) Cross-site scripting (CVE-ID: CVE-2020-11023)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when passing <option> elements to jQuery’s DOM manipulation methods. A remote attacker can execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
34) Security features bypass (CVE-ID: CVE-2025-22233)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to String.toLowerCase() has some Locale dependent exceptions when handling case insensitive patterns in DataBinder. A remote attacker can bypass implemented security restrictions by passing specially crafted data to the application.
Note, the vulnerability exists due to incomplete fix for #VU98795 (CVE-2024-38820).
Remediation
Install update from vendor's website.