SB2025062419 - Multiple vulnerabilities in IBM Storage Defender - Resiliency Service

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2025-32873)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the django.utils.html.strip_tags() function. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

2) Heap-based buffer overflow (CVE-ID: CVE-2025-31115)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the lzma_stream_decoder_mt() function. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) Security restrictions bypass (CVE-ID: CVE-2018-1313)

The vulnerability allows a remote unauthenticated attacker to bypass security restrictions to the target system.

The weakness exists in the Network Server component due to improper security restrictions. If the Derby Network Server is started without specifying a security manager, the Derby Network Server will install a default Java security manager that enforces a basic policy. A remote attacker can send a specially crafted packet and cause the system to boot a database for which the location and contents of the database are under the attacker's control.

4) Information disclosure (CVE-ID: CVE-2016-0800)

The vulnerability allows a remote attacker to decrypt sensitive information.

The vulnerability exists due to usage of weak SSLv2 protocol, which requires to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data. A remote attacker can decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle.

The vulnerability is dubbed "DROWN" attack.

5) Memory corruption (CVE-ID: CVE-2016-2108)

The vulnerability allows a remote user to cause memory corruption on the target system.

The weakness exists due to buffer underflow with an out-of-bounds write in i2c_ASN1_INTEGER. As ASN.1 parser (specifically, d2i_ASN1_TYPE) can misinterpret a large universal tag as a negative zero value, attacker may easily corrupt memory.

Successful exploitation of the vulnerability will allow a malicious user to trigger memory corruption on the vulnerable system.

6) Resource management error (CVE-ID: CVE-2024-57699)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when handling a specially crafted JSON input. A remote attacker can pass a large number of ’{’ characters to the application and perform a denial of service (DoS) attack.

Note, the vulnerability exists due to incomplete fix for #VU75044 (CVE-2023-1370).

7) Uncontrolled Recursion (CVE-ID: CVE-2023-1370)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion when processing nested arrays and objects. A remote attacker can pass specially crafted JSON data to the application and perform a denial of service (DoS) attack.

8) Cryptographic issues (CVE-ID: CVE-2025-47278)

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to the way fallback key configuration was handled. The application used the last fallback key for signing, rather than the current signing key, which could potentially lead to data tampering.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7235454