Multiple vulnerabilities in IBM QRadar SIEM



| Updated: 2024-12-13
Risk High
Patch available YES
Number of vulnerabilities 14
CVE-ID CVE-2024-3596
CVE-2024-10963
CVE-2024-10041
CVE-2023-34462
CVE-2022-41915
CVE-2022-41881
CVE-2023-33546
CVE-2019-12900
CVE-2024-52316
CVE-2024-52317
CVE-2024-52318
CVE-2023-35116
CVE-2024-51504
CVE-2024-23454
CWE-ID CWE-327
CWE-287
CWE-922
CWE-400
CWE-113
CWE-835
CWE-787
CWE-399
CWE-79
CWE-20
CWE-290
CWE-276
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #10 is available.
Vulnerable software
IBM QRadar Incident Forensics
Other software / Other software solutions

IBM Qradar SIEM
Client/Desktop applications / Other client software

Vendor IBM Corporation

Security Bulletin

This security bulletin contains information about 14 vulnerabilities.

1) Use of a broken or risky cryptographic algorithm

EUVDB-ID: #VU94063

Risk: Medium

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-3596

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to use of a broken or risky cryptographic algorithm in RADIUS Protocol. A remote user can perform a man-in-the-middle (MitM) attack and gain access to target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar Incident Forensics: before 7.5.0 UP10 IF02

IBM Qradar SIEM: before 7.5.0 UP10 IF02

CPE2.3 External links

http://www.ibm.com/support/pages/node/7178556


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Improper authentication

EUVDB-ID: #VU100912

Risk: Medium

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-10963

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in pam_access module where certain rules in its configuration file are mistakenly treated as hostnames. A remote attacker can bypass authentication process and gain unauthorized access to the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar Incident Forensics: before 7.5.0 UP10 IF02

IBM Qradar SIEM: before 7.5.0 UP10 IF02

CPE2.3 External links

http://www.ibm.com/support/pages/node/7178556


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Insecure Storage of Sensitive Information

EUVDB-ID: #VU100997

Risk: Low

CVSSv4.0: [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-10041

CWE-ID: CWE-922 - Insecure Storage of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores secrets in memory in plain text. A local user can read the memory and obtain passwords in plain text when PAM is used to perform authentication.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar Incident Forensics: before 7.5.0 UP10 IF02

IBM Qradar SIEM: before 7.5.0 UP10 IF02

CPE2.3 External links

http://www.ibm.com/support/pages/node/7178556


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Resource exhaustion

EUVDB-ID: #VU77573

Risk: Medium

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-34462

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources if no idle timeout handler was configured. A remote attacker can send a client hello packet, which leads the server to buffer up to 16MB of data per connection and results in a denial of service condition.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar Incident Forensics: before 7.5.0 UP10 IF02

IBM Qradar SIEM: before 7.5.0 UP10 IF02

CPE2.3 External links

http://www.ibm.com/support/pages/node/7178556


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) HTTP response splitting

EUVDB-ID: #VU70119

Risk: Medium

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-41915

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform HTTP splitting attacks.

The vulnerability exists due to software does not validate header values when calling DefaultHttpHeaders.set with an iterator of values. A remote attacker can inject arbitrary header values and perform HTTP splitting attacks.

Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar Incident Forensics: before 7.5.0 UP10 IF02

IBM Qradar SIEM: before 7.5.0 UP10 IF02

CPE2.3 External links

http://www.ibm.com/support/pages/node/7178556


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Infinite loop

EUVDB-ID: #VU70118

Risk: Medium

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-41881

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop within the HaProxyMessageDecoder when parsing a TLV with type of "PP2_TYPE_SSL". A remote attacker can pass a specially crafted message to consume all available system resources and cause denial of service conditions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar Incident Forensics: before 7.5.0 UP10 IF02

IBM Qradar SIEM: before 7.5.0 UP10 IF02

CPE2.3 External links

http://www.ibm.com/support/pages/node/7178556


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Out-of-bounds write

EUVDB-ID: #VU79924

Risk: Medium

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-33546

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when using the expression evaluator.guess parameter name method. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar Incident Forensics: before 7.5.0 UP10 IF02

IBM Qradar SIEM: before 7.5.0 UP10 IF02

CPE2.3 External links

http://www.ibm.com/support/pages/node/7178556


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Out-of-bounds write

EUVDB-ID: #VU19178

Risk: High

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-12900

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the BZ2_decompress() function in decompress.c. A remote attacker can create a specially crafted archive, trick the victim into opening it using the affected library, trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar Incident Forensics: before 7.5.0 UP10 IF02

IBM Qradar SIEM: before 7.5.0 UP10 IF02

CPE2.3 External links

http://www.ibm.com/support/pages/node/7178556


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Improper Authentication

EUVDB-ID: #VU100588

Risk: Low

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-52316

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error when processing authentication requests. If Tomcat was configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not have failed, allowing the user to bypass the authentication process.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar Incident Forensics: before 7.5.0 UP10 IF02

IBM Qradar SIEM: before 7.5.0 UP10 IF02

CPE2.3 External links

http://www.ibm.com/support/pages/node/7178556


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Resource management error

EUVDB-ID: #VU100587

Risk: Medium

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-52317

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to improper management of internal resources when handling HTTP/2 responses, which causes request and/or response mix-up between users. A remote non-authenticated attacker can send a series of HTTP/2 requests and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar Incident Forensics: before 7.5.0 UP10 IF02

IBM Qradar SIEM: before 7.5.0 UP10 IF02

CPE2.3 External links

http://www.ibm.com/support/pages/node/7178556


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

11) Cross-site scripting

EUVDB-ID: #VU100591

Risk: Medium

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-52318

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in generated JSPs. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar Incident Forensics: before 7.5.0 UP10 IF02

IBM Qradar SIEM: before 7.5.0 UP10 IF02

CPE2.3 External links

http://www.ibm.com/support/pages/node/7178556


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Improper input validation

EUVDB-ID: #VU82122

Risk: Low

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-35116

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to perform service disruption.

The vulnerability exists due to improper input validation within the Oracle Database Fleet Patching and Provisioning (jackson-databind) in Oracle Database Server. A remote authenticated user can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar Incident Forensics: before 7.5.0 UP10 IF02

IBM Qradar SIEM: before 7.5.0 UP10 IF02

CPE2.3 External links

http://www.ibm.com/support/pages/node/7178556


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Authentication Bypass by Spoofing

EUVDB-ID: #VU99975

Risk: High

CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-51504

CWE-ID: CWE-290 - Authentication Bypass by Spoofing

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass IP-based authentication.

The vulnerability exists due to IPAuthenticationProvider is using the X-Forwarded-For HTTP  header when authenticated users by IP address in the Admin Server. A remote attacker can pass a trusted IP addresses via the X-Forwarded-For HTTP  header and gain unauthorized access to the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar Incident Forensics: before 7.5.0 UP10 IF02

IBM Qradar SIEM: before 7.5.0 UP10 IF02

CPE2.3 External links

http://www.ibm.com/support/pages/node/7178556


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Incorrect default permissions

EUVDB-ID: #VU97712

Risk: Low

CVSSv4.0: [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-23454

CWE-ID: CWE-276 - Incorrect Default Permissions

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the RunJar.run() method does not set permissions for temporary directory by default. A local user with access to the system can view contents of files and directories.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM QRadar Incident Forensics: before 7.5.0 UP10 IF02

IBM Qradar SIEM: before 7.5.0 UP10 IF02

CPE2.3 External links

http://www.ibm.com/support/pages/node/7178556


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###