SB20240731208 - Multiple vulnerabilities in IBM Cloud Pak for Network Automation
Published: July 31, 2024 Updated: May 20, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 27 secuirty vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2023-43788)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the XpmCreateXpmImageFromBuffer() function. A local user can trigger an out-of-bounds read error and read contents of memory on the system.
2) Buffer overflow (CVE-ID: CVE-2024-2961)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the iconv() function when converting string to the ISO-2022-CN-EXT character set. A remote attacker can pass specially crafted input to the application, trigger a 4 byte buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Cryptographic issues (CVE-ID: CVE-2024-28834)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to a side-channel attack when using the gnutls_privkey_sign_data2 API function with the "GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE" flag. A remote attacker can launch Minerva attack and gain access to sensitive information.
4) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2023-5981)
The vulnerability allows a remote attacker to perform timing attack.
The vulnerability exists due to the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. A remote attacker can perform timing sidechannel attack in RSA-PSK key exchange.
5) Input validation error (CVE-ID: CVE-2023-25193)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in hb-ot-layout-gsubgpos.hh. A remote attacker can use consecutive marks during the process of looking back for base glyphs when attaching marks and perform a denial of service (DoS) attack.
6) Out-of-bounds read (CVE-ID: CVE-2021-29390)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read within the decompress_smooth_data() function in jdcoefct.c. A remote attacker can pass specially crafted image to the application and perform a denial of service attack.
7) Information disclosure (CVE-ID: CVE-2024-28849)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to credentials are shared via headers when following cross-domain redirects. A remote attacker can gain access to sensitive information.
8) Insufficient verification of data authenticity (CVE-ID: CVE-2024-34447)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to hostname verification is performed against a DNS-resolved IP address when endpoint identification is enabled in the BCJSSE and an SSL socket is not created with an explicit hostname. A remote attacker can bypass implemented security restrictions.
9) Insufficient verification of data authenticity (CVE-ID: CVE-2023-7008)
The vulnerability allows a remote attacker to perform a MitM attack.
The vulnerability exists due to systemd-resolved accepts records of DNSSEC-signed domains even when they have no signature. A remote attacker can perform MitM attack.
10) Reachable Assertion (CVE-ID: CVE-2024-27983)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when handling HTTP/2 packets. A remote attacker can send a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside and perform a denial of service (DoS) attack.
11) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2024-27982)
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
12) Out-of-bounds read (CVE-ID: CVE-2024-25629)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The
vulnerability exists due to a boundary error within the
ares__read_line() function when parsing local configuration files, such
as `/etc/resolv.conf`, `/etc/nsswitch.conf`, or `HOSTALIASES` file. A
local user can insert a NULL character as the first character in a new
line into one of the configuration files and crash the application.
13) Input validation error (CVE-ID: CVE-2024-22025)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling brotli decoding. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
14) Out-of-bounds read (CVE-ID: CVE-2023-43789)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition. A local user can trigger an out-of-bounds read error and read contents of memory on the system.
15) Resource exhaustion (CVE-ID: CVE-2021-33503)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in urllib3 when processing URL with multiple "@" characters in the authority component. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
16) Resource exhaustion (CVE-ID: CVE-2020-7212)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an inefficient algorithm in the "_encode_invalid_chars" function in "util/url.py". A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
17) CRLF injection (CVE-ID: CVE-2020-26137)
The vulnerability allows a remote attacker to inject arbitrary data in server response.
The vulnerability exists due to insufficient validation of attacker-supplied data passed via the "method" parameter. A remote authenticated attacker can pass specially crafted data to the application containing CR-LF characters and modify application behavior.
18) CRLF injection (CVE-ID: CVE-2019-9740)
The vulnerability allows a remote attacker to perform CRLF injection attacks.
The vulnerability exists within urllib2 implementation for Python 2.x and urllib3 implementation for Python 3.x when processing the path component of a URL after the "?" character within the urllib.request.urlopen() call. A remote attacker with ability to control URL, passed to the application, can use CRLF sequences to split the HTTP request and inject arbitrary HTTP headers into request, made by the application.
19) Inefficient regular expression complexity (CVE-ID: CVE-2022-40896)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions in pygments/lexers/smithy.py. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
20) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-3177)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to improper access restrictions. A remote user can launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated.
Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.
21) External control of file name or path (CVE-ID: CVE-2023-38546)
The vulnerability allows an attacker to inject arbitrary cookies into request.
The vulnerability exists due to the way cookies are handled by libcurl. If a transfer has cookies enabled when the handle is duplicated, the
cookie-enable state is also cloned - but without cloning the actual
cookies. If the source handle did not read any cookies from a specific
file on disk, the cloned version of the handle would instead store the
file name as none (using the four ASCII letters, no quotes).
none - if such a file exists and is readable in the current directory of the program using libcurl. 22) Expected behavior violation (CVE-ID: CVE-2023-28322)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a logic error when sending HTTP POST and PUT requests using the same handle. The libcurl can erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. As a result, the application can misbehave and either send off the wrong data or use memory after free or similar in the second transfer.
23) Code Injection (CVE-ID: CVE-2024-31573)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to XMLUnit for Java does not disable XSLT extension functions by default when performing XSLT transformations. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
24) Integer overflow (CVE-ID: CVE-2023-43787)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to integer overflow within the XCreateImage() function. A local user can trigger integer overflow and execute arbitrary code with elevated privileges.
25) Infinite loop (CVE-ID: CVE-2023-43786)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the PutSubImage() function. A local user can consume all available system resources and cause denial of service conditions.
26) Out-of-bounds read (CVE-ID: CVE-2023-43785)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the _XkbReadKeySyms() function. A local user can trigger an out-of-bounds read error and read contents of memory on the system.
27) Out-of-bounds read (CVE-ID: CVE-2022-48554)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the file_copystr() function in funcs.c. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and crash the application.
Remediation
Install update from vendor's website.