SB2026040617 - Multiple vulnerabilities in IBM Storage Protect Plus Server
Published: April 6, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 36 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-50379)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing access restrictions to the default servlet. If the default servlet is write enabled (readonly initialisation parameter set to the non-default value of false) for a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat's case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution.
2) Use-after-free (CVE-ID: CVE-2024-27398)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error within the sco_sock_timeout() function in net/bluetooth/sco.c. A remote attacker can trigger a use-after-free error and perform a denial of service (DoS) attack.
3) Path traversal (CVE-ID: CVE-2025-55752)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to input validation error when processing directory traversal sequences passed via Rewrite Valve. A remote attacker can send a specially crafted HTTP PUT request and write arbitrary files to the server, leading to remote code execution.
4) Improper Output Neutralization for Logs (CVE-ID: CVE-2025-55754)
The vulnerability allows a remote attacker to execute arbitrary OS commands.
The vulnerability exists due to improper input validation of ANSI escape sequences in log messages. A remote attacker can use a crafted URL to inject ANSI escape sequences to manipulate the console and the clip-boardand potentially execute arbitrary code.
The vulnerability affects Windows installations only.
5) Resource exhaustion (CVE-ID: CVE-2025-61795)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling errors while processing multipart upload. Depending on JVM settings, application memory usage and application load, it is possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS.
6) Input validation error (CVE-ID: CVE-2024-36880)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the qca_send_pre_shutdown_cmd(), qca_tlv_check_data() and qca_download_firmware() functions in drivers/bluetooth/btqca.c. A local user can perform a denial of service (DoS) attack.
7) Improper locking (CVE-ID: CVE-2024-42294)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the del_gendisk() function in block/genhd.c. A local user can perform a denial of service (DoS) attack.
8) Permissions, privileges, and access controls (CVE-ID: CVE-2024-56337)
The vulnerability allows a remote attacker to compromise the affected system.
The mitigation bypass depends on the version of Java used on the system.
9) Improper Handling of Windows Device Names (CVE-ID: CVE-2026-27199)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the "safe_join" function allows Windows device names as filenames if when preceded by other path segments. A remote attacker can cause reading of the file to hang indefinitely.
10) Resource exhaustion (CVE-ID: CVE-2024-3651)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the idna.encode() function. A remote attacker can pass an overly long domain name to the application and perform a denial of service (DoS) attack.
11) Out-of-bounds read (CVE-ID: CVE-2024-5629)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the bson module. A remote attacker can trigger an out-of-bounds read error and perform a denial of service (DoS) attack.
12) NULL pointer dereference (CVE-ID: CVE-2024-43823)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the ks_pcie_setup_rc_app_regs() and ks_pcie_host_init() functions in drivers/pci/controller/dwc/pci-keystone.c. A local user can perform a denial of service (DoS) attack.
13) Resource exhaustion (CVE-ID: CVE-2024-38286)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources during the TLS handshake process. A remote attacker can initiate multiple TLS connections, trigger memory exhaustion and perform a denial of service (DoS) attack.
14) Integer underflow (CVE-ID: CVE-2024-46759)
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to integer underflow within the adc128_set_in() and adc128_set_temp() functions in drivers/hwmon/adc128d818.c. A local user can execute arbitrary code.
15) Input validation error (CVE-ID: CVE-2025-24813)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input when handling file uploads via HTTP PUT requests. A remote attacker can send a specially crafted HTTP PUT request to the server and gain access to sensitive information or even execute arbitrary code.
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack
16) Improper Handling of Windows Device Names (CVE-ID: CVE-2026-21860)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as CON.txt, or trailing spaces such as CON. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
17) Use of cache containing sensitive information (CVE-ID: CVE-2026-27205)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to when the session object is accessed, Flask should set the Vary: Cookie header. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn't ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. A remote attacker can gain unauthorized access to sensitive information on the system.
18) NULL pointer dereference (CVE-ID: CVE-2024-43898)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the ext4_da_do_write_end() function in fs/ext4/inode.c, within the __block_commit_write() function in fs/buffer.c. A local user can perform a denial of service (DoS) attack.
19) Improper Handling of Length Parameter Inconsistency (CVE-ID: CVE-2025-14847)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to mismatched length fields in Zlib compressed protocol headers. A remote non-authenticated client can read parts of uninitialized heap memory and gain access to sensitive information.
20) Improper Authentication (CVE-ID: CVE-2024-52316)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error when processing authentication requests. If Tomcat was configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not have failed, allowing the user to bypass the authentication process.
21) Improper error handling (CVE-ID: CVE-2025-31650)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient error handling for certain invalid HTTP priority headers. A remote attacker can send a large amount of specially crafted HTTP requests to the server and consume all available memory, resulting in a denial of service condition.
22) Input validation error (CVE-ID: CVE-2025-31651)
The vulnerability allows a remote attacker to bypass rewrite rules.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted input to the application and bypass configured rewrite rules.
23) Resource exhaustion (CVE-ID: CVE-2024-23672)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can keep WebSocket connections open for a long time to trigger resource exhaustion and perform a denial of service (DoS) attack.
24) NULL pointer dereference (CVE-ID: CVE-2024-43821)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the lpfc_xcvr_data_show() function in drivers/scsi/lpfc/lpfc_attr.c. A local user can perform a denial of service (DoS) attack.
25) Resource management error (CVE-ID: CVE-2024-43820)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the raid_resume() function in drivers/md/dm-raid.c. A local user can perform a denial of service (DoS) attack.
26) Resource management error (CVE-ID: CVE-2024-52317)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper management of internal resources when handling HTTP/2 responses, which causes request and/or response mix-up between users. A remote non-authenticated attacker can send a series of HTTP/2 requests and gain access to sensitive information.
27) Processor optimization removal or modification of security-critical code (CVE-ID: CVE-2023-3006)
The vulnerability allow a local user to gain access to sensitive information.
The vulnerability exists due to a known cache speculation vulnerability (Spectre-BHB) for the new hw AmpereOne. A local user can gain access to sensitive information.
28) Resource management error (CVE-ID: CVE-2024-34750)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when handling HTTP/2 stream. A remote attacker can initiate multiple HTTP/2 connections to the server that are remain open and perform a denial of service (DoS) attack.
29) Use-after-free (CVE-ID: CVE-2024-50067)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the uprobe_buffer_init(), prepare_uprobe_buffer() and __uprobe_trace_func() functions in kernel/trace/trace_uprobe.c. A local user can escalate privileges on the system.
30) Resource exhaustion (CVE-ID: CVE-2025-53506)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling excessive HTTP/2 streams. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
31) Input validation error (CVE-ID: CVE-2025-52434)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling HTTP/2 requests with APR/Native. A remote attacker can send specially crafted HTTP requests to the server and perform a denial of service (DoS) attack.
32) Resource management error (CVE-ID: CVE-2025-52520)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to overflow in file upload limit. A remote attacker can send specially crafted requests to the server and perform a denial of service (DoS) attack.
33) Insufficient verification of data authenticity (CVE-ID: CVE-2026-26007)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. A remote attacker can provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup.
34) Untrusted search path (CVE-ID: CVE-2025-49124)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to usage of an untrusted search path in the application's installer on Windows. A local user can place a malicious binary icacls.exe into the current working directory of the installer file end execute arbitrary code with elevated privileges.
Note, the vulnerability affects Windows systems only.
35) Integer underflow (CVE-ID: CVE-2024-42316)
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to integer underflow within the folio_rotate_reclaimable() function in mm/vmscan.c. A local user can execute arbitrary code.
36) Resource management error (CVE-ID: CVE-2024-42321)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the __skb_flow_dissect() function in net/core/flow_dissector.c. A local user can perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.