Lucene search

K
ibmIBM318912F89A92393350475FB081058FB1CD036033B4E7AB20EB46B1955C0548A5
HistoryMar 15, 2024 - 1:44 p.m.

Security Bulletin: IBM Observability with Instana is affected by Multiple Security Vulnerabilities

2024-03-1513:44:04
www.ibm.com
19
ibm observability
instana
snakeyaml
denial of service
remote code execution
vulnerability
security bulletin

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.021

Percentile

89.4%

Summary

Multiple vulnerabilities were remediated in IBM Observability with Instana build 262

Vulnerability Details

**CVEID:**CVE-2022-41854 DESCRIPTION: snakeYAML is vulnerable to a denial of service, caused by improper input validation. By persuading a victim to open a specially-crafted YAML content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240890 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2022-38752 DESCRIPTION: SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235310 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2022-1471 DESCRIPTION: SnakeYaml could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Constructor class. By using a specially-crafted yaml content, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241118 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Observability with Instana (OnPrem) Build 251 to 261

Remediation/Fixes

IBM strongly recommends addressing these vulnerabilities now by updating IBM Observability with Instana to the latest release as described here:

https://www.ibm.com/docs/en/instana-observability/current

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmobservability_with_instanaMatch246
OR
ibmobservability_with_instanaMatch264
VendorProductVersionCPE
ibmobservability_with_instana246cpe:2.3:a:ibm:observability_with_instana:246:*:*:*:*:*:*:*
ibmobservability_with_instana264cpe:2.3:a:ibm:observability_with_instana:264:*:*:*:*:*:*:*

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.021

Percentile

89.4%