SB2025092437 - Multiple vulnerabilities in IBM Netezza Performance Server Replication Services

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025092437

SB2025092437 - Multiple vulnerabilities in IBM Netezza Performance Server Replication Services

Published: September 24, 2025

Security Bulletin ID SB2025092437
Severity
High
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 10% Medium 80% Low 10%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.


1) Authorization bypass through user-controlled key (CVE-ID: CVE-2023-44981)

The vulnerability allows a remote attacker to bypass authorization process.

The vulnerability exists due to improper implementation of SASL Quorum Peer authentication. The instance part in SASL authentication ID, which is listed in zoo.cfg server list, is optional and if it's missing, the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree.


2) Improper access control (CVE-ID: CVE-2024-23944)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in persistent watchers. A remote user can bypass implemented security restrictions and obtain user names or login identifiers.


3) Deserialization of Untrusted Data (CVE-ID: CVE-2022-42003)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insecure input validation when processing serialized data when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. A remote attacker can pass specially crafted data to the application and cause a denial of service condition on the target system.


4) Resource exhaustion (CVE-ID: CVE-2022-42004)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control usage of deeply nested arrays in BeanDeserializer._deserializeFromArray. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


5) Deserialization of Untrusted Data (CVE-ID: CVE-2022-36944)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data during Java object deserialization. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


6) Insufficient entropy (CVE-ID: CVE-2023-31582)

The vulnerability allows a remote attacker to brute-force JWT token.

The vulnerability exists due to usage of insufficient entropy when generating JWT token. A remote attacker can brute-force the JWT token and gain unauthorized access to the application.


7) Resource exhaustion (CVE-ID: CVE-2023-51775)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion via large p2c (aka PBES2 Count) value and perform a denial of service (DoS) attack.


8) Integer overflow (CVE-ID: CVE-2023-34453)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in shuffle. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.


9) Integer overflow (CVE-ID: CVE-2023-34454)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in compress. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.


10) Resource exhaustion (CVE-ID: CVE-2023-34455)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References