SB2024062837 - Multiple vulnerabilities in IBM Asset Data Dictionary Component

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024062837

SB2024062837 - Multiple vulnerabilities in IBM Asset Data Dictionary Component

Published: June 28, 2024

Security Bulletin ID SB2024062837
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Authorization bypass through user-controlled key (CVE-ID: CVE-2023-44981)

The vulnerability allows a remote attacker to bypass authorization process.

The vulnerability exists due to improper implementation of SASL Quorum Peer authentication. The instance part in SASL authentication ID, which is listed in zoo.cfg server list, is optional and if it's missing, the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree.


2) Integer overflow (CVE-ID: CVE-2023-34453)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in shuffle. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.


3) Resource exhaustion (CVE-ID: CVE-2023-34455)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


4) Integer overflow (CVE-ID: CVE-2023-34454)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in compress. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.


5) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2023-43642)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to missing upper bound check on chunk length. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References