SB2023062140 - Multiple vulnerabilities in IBM Cloud Pak for Network Automation
Published: June 21, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 18 secuirty vulnerabilities.
1) Use of insufficiently random values (CVE-ID: CVE-2022-35255)
The vulnerability allows a remote attacker to decrypt sensitive information.
The vulnerability exists due to usage of weak randomness in WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. A remote attacker can decrypt sensitive information.
2) Information disclosure (CVE-ID: CVE-2023-25000)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the Shamir implementation uses precomputed table lookups. A remote user can perform a cache-timing attack and recover the Shamir shares.
3) SQL injection (CVE-ID: CVE-2023-0620)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data when using Vault’s community-supported Microsoft SQL (MSSQL) database storage backend. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
4) Input validation error (CVE-ID: CVE-2023-0665)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the PKI mount issuer endpoints do not correctly authorize access to remove an issuer or modify issuer metadata. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
5) Improper access control (CVE-ID: CVE-2023-24999)
The vulnerability allows a remote user to perform a denial of service attack.
The vulnerability exists due to the way the application handles authentication based on Approle SecretID. A remote user with access to the "/auth/approle/role/:role_name/secret-id-accessor/destroy" endpoint can destroy the secret ID of any other role by providing the secret ID accessor and disable access to Vault for other users.6) Resource exhaustion (CVE-ID: CVE-2022-32149)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to ParseAcceptLanguage does not properly control consumption of internal resources. A remote attacker can send a specially crafted Accept-Language header that will take a significant time to parse and perform a denial of service (DoS) attack.
7) Uncaught Exception (CVE-ID: CVE-2023-2251)
The vulnerability allows a remote attacker to cause a denial of service condition.
The vulnerability exists due uncaught exception in the parseDocument() and parseAllDocuments() functions. A remote unauthenticated attacker can send a specially crafted input and cause a denial of service condition.
8) Uncontrolled Recursion (CVE-ID: CVE-2023-1436)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to uncontrolled recursion when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
9) Unprotected Alternate Channel (CVE-ID: CVE-2023-28842)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to unprotected alternate channel within encrypted overlay networks. A remote attacker can inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams.
10) Input validation error (CVE-ID: CVE-2022-41716)
The vulnerability allows a local user to execute arbitrary OS commands on the system.
The vulnerability exists due to insecure processing of unsanitized NUL values in syscall.StartProcess and os/exec.Cmd. A local user on the Windows operating system can set a specially crafted environment variable and execute arbitrary OS commands on the system.
11) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2022-41717)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to excessive memory growth when handling HTTP/2 server requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
12) Path traversal (CVE-ID: CVE-2023-32309)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
13) Unprotected Alternate Channel (CVE-ID: CVE-2023-28840)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to unprotected alternate channel within encrypted overlay networks. A remote attacker can inject arbitrary Ethernet frames into the encrypted overlay network and perform a denial of service (DoS) attack.
14) Infinite loop (CVE-ID: CVE-2023-24537)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when calling any of the Parse functions on Go source code which contains //line directives with very large line numbers. A remote attacker can consume all available system resources and cause denial of service conditions.
15) Missing Encryption of Sensitive Data (CVE-ID: CVE-2023-28841)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to missing encryption of sensitive data within the overlay network driver. A remote attacker can gain unauthorized access to sensitive information on the system.
16) Race condition (CVE-ID: CVE-2023-28858)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a race condition. A remote attacker can exploit the race and gain unauthorized access to sensitive information on the system.
17) Race condition (CVE-ID: CVE-2023-28859)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a race condition. A remote attacker can exploit the race and gain unauthorized access to sensitive information on the system.
18) Code Injection (CVE-ID: CVE-2023-24538)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in html/template when handling JavaScript templates that contain backticks in code. If a template contains a Go template action within a JavaScript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary JavaScript code into the Go template.
Remediation
Install update from vendor's website.