SB2023022233 - Multiple vulnerabilities in IBM FlashSystem 840 and V840
Published: February 22, 2023
Security Bulletin ID
SB2023022233
Severity
Critical
Patch available
YES
Number of vulnerabilities
3
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-0112)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper access restrictions within the getClass method in ParametersInterceptor. A remote non-authenticated attacker can manipulate the ClassLoader via a specially crafted request and execute arbitrary code on the system.
Note, the vulnerability exists due to incomplete fix for #VU5234 (CVE-2014-0094).
2) Security bypass (CVE-ID: CVE-2014-0094)
The vulnerability allows a remote attacker to bypass security restsrictions on the target system.The weakness exists due to an error in ParametersInterceptor. A remote attacker can use a specially crafted class parameter to manipulate the ClassLoader used by the application server.
Successful exploitation of the vulnerability results in security bypass on the vulnerable system.
Note: the vulnerability was being actively exploited.
3) Infinite loop (CVE-ID: CVE-2014-0050)
The vulnerability allows a remote attacker to cause DoS conditions on the target system.The weakness exists due to boundary error when handling Content-Type HTTP header for multipart requests. By sending a specially crafted Content-Type header, containing 4092 characters in "boundary" field, a remote attacker can cause the application to enter into an infinite loop.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
Note: the vulnerability was being actively exploited.
Remediation
Install update from vendor's website.