SB2022063011 - Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management Monitoring

Description

This security bulletin contains information about 3 vulnerabilities.

1) Input validation error (CVE-ID: CVE-2021-32675)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when processing RESP request payloads with a large number of elements on many connections. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

2) Heap-based buffer overflow (CVE-ID: CVE-2021-32626)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing specially crafted Lua scripts. A remote attacker can pass specially crafted data to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) Out-of-bounds read (CVE-ID: CVE-2021-32672)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition, related to Lua Debugger. A remote attacker can read random data from heap.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicloud-management-monitoring-is-vulnerable-to-various-attacks-due-to-its-use-of-redis-cve-2021-32675-cve-2021-32626-cve-2021-32672/
• https://www.ibm.com/support/pages/node/6599643