Multiple vulnerabilities in IBM Workload Scheduler



Published: 2022-08-09
Risk High
Patch available YES
Number of vulnerabilities 7
CVE-ID CVE-2021-35586
CVE-2021-35578
CVE-2021-35564
CVE-2021-35559
CVE-2021-35565
CVE-2021-35588
CVE-2021-41035
CWE-ID CWE-20
CWE-284
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
IBM Workload Scheduler
Server applications / Other server solutions

Vendor IBM Corporation

Security Bulletin

This security bulletin contains information about 7 vulnerabilities.

1) Improper input validation

EUVDB-ID: #VU57489

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35586

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the ImageIO component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Workload Scheduler: before 9.5.0.6

External links

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-sdk-java-technology-edition-version-8-that-is-used-by-ibm-workload-scheduler/
http://www.ibm.com/support/pages/node/6607167


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper input validation

EUVDB-ID: #VU57495

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35578

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the JSSE component in Oracle GraalVM Enterprise Edition when processing TLS 1.3 ClientHello packets. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Workload Scheduler: before 9.5.0.6

External links

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-sdk-java-technology-edition-version-8-that-is-used-by-ibm-workload-scheduler/
http://www.ibm.com/support/pages/node/6607167


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper input validation

EUVDB-ID: #VU57490

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35564

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Keytool component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Workload Scheduler: before 9.5.0.6

External links

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-sdk-java-technology-edition-version-8-that-is-used-by-ibm-workload-scheduler/
http://www.ibm.com/support/pages/node/6607167


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper input validation

EUVDB-ID: #VU57492

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35559

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Swing component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Workload Scheduler: before 9.5.0.6

External links

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-sdk-java-technology-edition-version-8-that-is-used-by-ibm-workload-scheduler/
http://www.ibm.com/support/pages/node/6607167


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper input validation

EUVDB-ID: #VU57494

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35565

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the JSSE component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Workload Scheduler: before 9.5.0.6

External links

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-sdk-java-technology-edition-version-8-that-is-used-by-ibm-workload-scheduler/
http://www.ibm.com/support/pages/node/6607167


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper input validation

EUVDB-ID: #VU57497

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-35588

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Workload Scheduler: before 9.5.0.6

External links

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-sdk-java-technology-edition-version-8-that-is-used-by-ibm-workload-scheduler/
http://www.ibm.com/support/pages/node/6607167


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improper access control

EUVDB-ID: #VU60083

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-41035

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. The JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. A remote attacker can send a request to a non-public method and gain unauthorized access to the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Workload Scheduler: before 9.5.0.6

External links

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-sdk-java-technology-edition-version-8-that-is-used-by-ibm-workload-scheduler/
http://www.ibm.com/support/pages/node/6607167


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###