SB2026010738 - Multiple vulnerabilities in IBM Operations Analytics - Log Analysis

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Deserialization of Untrusted Data (CVE-ID: CVE-2025-27819)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and perform a denial of service attack.

2) Deserialization of Untrusted Data (CVE-ID: CVE-2025-27818)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data. A remote user can set the sasl.jaas.config property for connector's Kafka clients to 'com.sun.security.auth.module.LdapLoginModule' through various override properties (producer.override.sasl.jaas.config, consumer.override.sasl.jaas.config, or admin.override.sasl.jaas.config). This configuration enables the server to connect to an attacker's LDAP server and deserialize the LDAP response, potentially leading to the execution of java deserialization gadget chains on the Kafka connect server. 

3) Deserialization of Untrusted Data (CVE-ID: CVE-2023-25194)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to Apache Kafka Connect performs deserialization of data retrieved from the configured LDAP server in "com.sun.security.auth.module.JndiLoginModule". A remote user ability to create/modify connectors on the server with an arbitrary Kafka client SASL JAAS config can configure the server to connect to a malicious LDAP server and execute arbitrary Java code on the system.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7256310