SB2026040323 - Multiple vulnerabilities in IBM Storage Scale

Description

This security bulletin contains information about 10 vulnerabilities.

1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-66418)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to missing limits on the number of links in the decompression chain when handling gzip or zstd data in the server response. A malicious server can send a response with a large amount of links and cause high CPU load, leading to a denial of service condition. 

2) Resource exhaustion (CVE-ID: CVE-2025-66471)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the streaming API does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

3) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2020-28498)

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to cryptographic issues in the secp256k1 implementation in elliptic/ec/key.js. A remote attacker can pass specially crafted public key point to the application and gain access to sensitive information.

4) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2024-42459)

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error when handling EDDSA signatures. A remote attacker can bypass signature-based security checks.

5) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2024-42460)

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error when handling ECDSA signatures. A remote attacker can bypass signature-based security checks.

6) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2024-42461)

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error when handling BER-encoded ECDSA signatures. A remote attacker can bypass signature-based security checks.

7) Improper verification of cryptographic signature (CVE-ID: CVE-2024-48948)

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect validation of valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. Such behavior leads to valid signatures being rejected.

8) Input validation error (CVE-ID: CVE-2024-48949)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input within the verify() function in lib/elliptic/eddsa/index.js. A remote attacker can send specially crafted input to the application and bypass implemented security restrictions.

9) Use of a Cryptographic Primitive with a Risky Implementation (CVE-ID: CVE-2025-14505)

CWE-ID: CWE-1240 - Use of a Cryptographic Primitive with a Risky Implementation

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to gain access to secret key.

The vulnerability exists due to ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. A remote attacker can under certain conditions derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs

10) Prototype pollution (CVE-ID: CVE-2025-13465)

CWE-ID: CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to alter application's behavior. 

The vulnerability exists due to improper input validation within the in the _.unset and _.omit functions. A remote attacker can pass specially crafted input to the application and delete methods from global prototypes.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7268507