SB2025082547 - Multiple vulnerabilities in IBM Cloudera Observability on Premises with IBM
Published: August 25, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 20 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2021-28165)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing large TLS frames. A remote attacker can send specially crafted data to the server, trigger CPU high load and perform a denial of service (DoS) attack.
2) XML External Entity injection (CVE-ID: CVE-2014-125087)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
3) Uncontrolled Recursion (CVE-ID: CVE-2024-7254)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields. A remote attacker can pass specially crafted input to the application to create unbounded recursions and perform a denial of service (DoS) attack.
4) Input validation error (CVE-ID: CVE-2022-3171)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input containing multiple instances of non-repeated embedded messages with repeated or unknown fields. A remote attacker can cause objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.
5) Input validation error (CVE-ID: CVE-2022-3509)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when parsing textformat data. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
6) Resource management error (CVE-ID: CVE-2021-22569)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application. protobuf-java allowes the interleaving of
com.google.protobuf.UnknownFieldSet fields in such a way that would be
processed out of order. A small malicious payload can occupy the parser
for several minutes by creating large numbers of short-lived objects
that cause frequent, repeated pauses. A remote attacker can trick the victim into passing specially crafted data to the application and perform a denial of service attack.
7) Improper Privilege Management (CVE-ID: CVE-2023-22946)
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper privilege management. A local user can send specially crafted configuration-related classes on the classpath and exploit this vulnerability to execute arbitrary code with the privileges of the submitting user.
8) OS Command Injection (CVE-ID: CVE-2022-33891)
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the ACL feature within the Apache Spark UI. A remote user can request a specially crafted URL and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that "spark.acls.enable" option is set.
9) Cleartext storage of sensitive information (CVE-ID: CVE-2019-10099)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to an error that leads to writing data in plain text even if "spark.io.encryption.enabled=true" is set. A local user can gain access to sensitive information.
10) Security restrictions bypass (CVE-ID: CVE-2018-11770)
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists in Apache Spark running standalone master with the REST API enabled, or running Mesos master with cluster mode enabled due to improper security restrictions. A remote unauthenticated attacker can use the REST API, execute a driver program without authentication and perform unauthorized actions.
11) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-6763)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in HttpURI. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
12) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2023-40167)
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests when handling the "+" character passed via the HTTP/1 header field. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
13) Input validation error (CVE-ID: CVE-2022-2047)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when parsing invalid URIs such as http://localhost;/path. A remote attacker can pass specially crafted input to the application and bypass implemented security restrictions, as the Jetty's HttpClient, and Jetty's ProxyServlet / AsyncProxyServlet / AsyncMiddleManServlet will wrongly interpret an authority of such URI as the one with a hostname.
14) HTTP request smuggling attack (CVE-ID: CVE-2017-7658)
The disclosed vulnerability allows a remote attacker to conduct an HTTP request smuggling attack on the target system.
The vulnerability exists due to improper handling HTTP requests that contain more than one content-length header. A remote attacker can send a specially crafted HTTP request that contains a transfer-encoding header and a content-length header, cause the software and an upstream HTTP agent to misinterpret the boundary of the request and to poison the web cache on the system, which could be used to conduct further attacks.
15) Information disclosure (CVE-ID: CVE-2017-7657)
The disclosed vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to improper handling of queries that do not match the dynamic URL pattern for webapps that use default error handling settings. A remote attacker can send a query that submits malicious input, trigger a java.nio.file.InvalidPathException message, which could allow the attacker to view sensitive information, such as the software installation path.
16) Resource exhaustion (CVE-ID: CVE-2023-26048)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing multipart requests in request.getParameter(). A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
17) Information disclosure (CVE-ID: CVE-2019-10246)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. A remote attacker can gain unauthorized access to sensitive information on the system.
18) Cross-site scripting (CVE-ID: CVE-2019-10241)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
19) Information disclosure (CVE-ID: CVE-2018-12536)
The disclosed vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to improper handling of queries that do not match the dynamic URL pattern for webapps that use default error handling settings. A remote attacker can send a query that submits malicious input, trigger a java.nio.file.InvalidPathException message, which could allow the attacker to view sensitive information, such as the software installation path.
20) Brute-force attack (CVE-ID: CVE-2017-9735)
The vulnerability allows a remote attacker to perform a brute-force attack.The vulnerability exists due to a timing channel in util/security/Password.java, which allows a remote attacker to perform a brute-force attack by observing elapsed times before rejection of incorrect passwords.
Remediation
Install update from vendor's website.