Multiple vulnerabilities in IBM Netezza as a Service
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2021-33194 CVE-2021-44716 CVE-2021-31525 CVE-2021-27918 |
| CWE-ID | CWE-835 CWE-20 CWE-674 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
IBM Netezza Performance Server Server applications / Other server solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Infinite loop
EUVDB-ID: #VU65693
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-33194
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop. A remote attacker can pass crafted ParseFragment input to the application, consume all available system resources and cause denial of service conditions.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Netezza Performance Server: 11.2.2.1 - 11.2.2.2
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-as-a-service-is-vulnerable-to-denial-of-service-due-to-golang-net-package-cve-2021-33194-cve-2021-44716-cve-2021-31525/
http://www.ibm.com/support/pages/node/6599203
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU58824
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-44716
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Netezza Performance Server: 11.2.2.1 - 11.2.2.2
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-as-a-service-is-vulnerable-to-denial-of-service-due-to-golang-net-package-cve-2021-33194-cve-2021-44716-cve-2021-31525/
http://www.ibm.com/support/pages/node/6599203
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Uncontrolled Recursion
EUVDB-ID: #VU54910
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-31525
CWE-ID:
CWE-674 - Uncontrolled Recursion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a DoS attack.
The vulnerability exists due to uncontrolled recursion when processing HTTP headers. A remote attacker can send a large header to ReadRequest or ReadResponse and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsIBM Netezza Performance Server: 11.2.2.1 - 11.2.2.2
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-as-a-service-is-vulnerable-to-denial-of-service-due-to-golang-net-package-cve-2021-33194-cve-2021-44716-cve-2021-31525/
http://www.ibm.com/support/pages/node/6599203
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Infinite loop
EUVDB-ID: #VU51486
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-27918
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when using xml.NewTokenDecoder with a custom TokenReader. A remote attacker can trick a victim to open a specially crafted XML content and cause denial of service conditions.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Netezza Performance Server: 11.2.2.1 - 11.2.2.2
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-as-a-service-is-vulnerable-to-denial-of-service-due-to-golang-net-package-cve-2021-33194-cve-2021-44716-cve-2021-31525/
http://www.ibm.com/support/pages/node/6599203
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
