SB2026040323 - Multiple vulnerabilities in IBM Storage Scale

Description

This security bulletin contains information about 10 secuirty vulnerabilities.

1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-66418)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to missing limits on the number of links in the decompression chain when handling gzip or zstd data in the server response. A malicious server can send a response with a large amount of links and cause high CPU load, leading to a denial of service condition. 

2) Resource exhaustion (CVE-ID: CVE-2025-66471)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the streaming API does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

3) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2020-28498)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to cryptographic issues in the secp256k1 implementation in elliptic/ec/key.js. A remote attacker can pass specially crafted public key point to the application and gain access to sensitive information.

4) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2024-42459)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error when handling EDDSA signatures. A remote attacker can bypass signature-based security checks.

5) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2024-42460)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error when handling ECDSA signatures. A remote attacker can bypass signature-based security checks.

6) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2024-42461)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error when handling BER-encoded ECDSA signatures. A remote attacker can bypass signature-based security checks.

7) Improper verification of cryptographic signature (CVE-ID: CVE-2024-48948)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect validation of valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. Such behavior leads to valid signatures being rejected.

8) Input validation error (CVE-ID: CVE-2024-48949)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input within the verify() function in lib/elliptic/eddsa/index.js. A remote attacker can send specially crafted input to the application and bypass implemented security restrictions.

9) Use of a Cryptographic Primitive with a Risky Implementation (CVE-ID: CVE-2025-14505)

The vulnerability allows a remote attacker to gain access to secret key.

The vulnerability exists due to ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. A remote attacker can under certain conditions derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature for the same inputs

10) Prototype pollution (CVE-ID: CVE-2025-13465)

The vulnerability allows a remote attacker to alter application's behavior. 

The vulnerability exists due to improper input validation within the in the _.unset and _.omit functions. A remote attacker can pass specially crafted input to the application and delete methods from global prototypes.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7268507