Lucene search

K
ibmIBM152E9F0FEBD90D47D9A402B6156EBC697FB0AABCD56DC797AC370050482DB099
HistoryJul 12, 2024 - 2:44 p.m.

Security Bulletin: Vulnerability with Perl, Snappy, Psf Request, spring-web-5.3.33.jar , Apache HTTP Server, OpenJDK, affect IBM Cloud Object Storage Systems (July 2024v1)

2024-07-1214:44:46
www.ibm.com
14
vulnerability
perl
snappy
psf request
spring-web-5.3.33.jar
apache http server
openjdk
ibm cloud object storage systems

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

AI Score

8.1

Confidence

High

EPSS

0.001

Percentile

26.7%

Summary

Vulnerability with Perl (CVE-2023-47038), Snappy ( CVE-2024-36124), Psf Request ( CVE-2024-35195), spring-web-5.3.33.jar (CVE-2024-22262) , Apache HTTP Server, (CVE-2024-24795, CVE-2023-38709) OpenJDK (CVE-2024-21094, CVE-2024-21011, CVE-2024-21085, CVE-2024-21068, CVE-2024-21012),. This vulnerability has been addressed in the latest ClevOS release

Vulnerability Details

**CVEID:**CVE-2023-47038 DESCRIPTION: Perl is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the user-defined Unicode property. By persuading a victim to use specially crafted regular expression to compile, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/272814 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2024-36124 DESCRIPTION: Snappy is vulnerable to a denial of service, caused by an out-of-bounds read flaw when uncompressing data. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause JVM to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/294029 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2024-35195 DESCRIPTION: Psf Requests could allow a local authenticated attacker to bypass security restrictions, caused by an incorrect control flow implementation vulnerability. If the first request in a session is made with verify=False, all subsequent requests to the same host will continue to ignore cert verification. An attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/291111 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N)

**CVEID:**CVE-2024-22262 DESCRIPTION: VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in UriComponentsBuilder. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287586 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

**CVEID:**CVE-2023-38709 DESCRIPTION: Apache HTTP Server is vulnerable to HTTP response splitting attacks, caused by improper input validation in the core. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286938 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

**CVEID:**CVE-2024-21094 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287959 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**CVE-2024-21011 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288020 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2024-21085 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288000 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2024-21068 DESCRIPTION: An unspecified vulnerability in the Oracle Java SE, GraalVM for JDK and GraalVM related to Hotspot component could allow a remote authenticated attacker to cause low integrity impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288014 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**CVE-2024-21012 DESCRIPTION: An unspecified vulnerability in Java SE related to the Networking component could allow a remote attacker to cause high integrity impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288019 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**CVE-2024-24795 DESCRIPTION: Apache HTTP Server is vulnerable to HTTP response splitting attacks, caused by a flaw in multiple modules. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286940 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud Object System 3.18.0.50 or Prior Releases
IBM Cloud Object System 3.18.2.45 or Prior

Remediation/Fixes

Product(s) Version Number Remediation/Fix
IBM Cloud Object System 3.18.0.65 https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software defined storage&product=ibm/StorageSoftware/IBM+Cloud+Object+Storage+System&release=3.18.0.65&platform=All&function=all
IBM Cloud Object System 3.18.2.87 https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software defined storage&product=ibm/StorageSoftware/IBM+Cloud+Object+Storage+System&release=3.18.2.87&platform=All&function=all

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmcloud_object_storage_systemMatch3.18
VendorProductVersionCPE
ibmcloud_object_storage_system3.18cpe:2.3:a:ibm:cloud_object_storage_system:3.18:*:*:*:*:*:*:*

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

AI Score

8.1

Confidence

High

EPSS

0.001

Percentile

26.7%