Multiple vulnerabilities in IBM Netezza as a Service



Published: 2022-10-14
Risk Medium
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2021-33194
CVE-2021-44716
CVE-2021-31525
CVE-2021-27918
CWE-ID CWE-835
CWE-20
CWE-674
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
IBM Netezza Performance Server
Server applications / Other server solutions

Vendor IBM Corporation

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Infinite loop

EUVDB-ID: #VU65693

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-33194

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop. A remote attacker can pass crafted ParseFragment  input to the application, consume all available system resources and cause denial of service conditions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Netezza Performance Server: 11.2.2.1 - 11.2.2.2


CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-as-a-service-is-vulnerable-to-denial-of-service-due-to-golang-net-package-cve-2021-33194-cve-2021-44716-cve-2021-31525/
http://www.ibm.com/support/pages/node/6599203

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Input validation error

EUVDB-ID: #VU58824

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-44716

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Netezza Performance Server: 11.2.2.1 - 11.2.2.2


CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-as-a-service-is-vulnerable-to-denial-of-service-due-to-golang-net-package-cve-2021-33194-cve-2021-44716-cve-2021-31525/
http://www.ibm.com/support/pages/node/6599203

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Uncontrolled Recursion

EUVDB-ID: #VU54910

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-31525

CWE-ID: CWE-674 - Uncontrolled Recursion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a DoS attack.

The vulnerability exists due to uncontrolled recursion when processing HTTP headers. A remote attacker can send a large header to ReadRequest or ReadResponse and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Netezza Performance Server: 11.2.2.1 - 11.2.2.2


CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-as-a-service-is-vulnerable-to-denial-of-service-due-to-golang-net-package-cve-2021-33194-cve-2021-44716-cve-2021-31525/
http://www.ibm.com/support/pages/node/6599203

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Infinite loop

EUVDB-ID: #VU51486

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-27918

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when using xml.NewTokenDecoder with a custom TokenReader. A remote attacker can trick a victim to open a specially crafted XML content and cause denial of service conditions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Netezza Performance Server: 11.2.2.1 - 11.2.2.2


CPE2.3 External links

http://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-as-a-service-is-vulnerable-to-denial-of-service-due-to-golang-net-package-cve-2021-33194-cve-2021-44716-cve-2021-31525/
http://www.ibm.com/support/pages/node/6599203

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###