Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM318912F89A92393350475FB081058FB1CD036033B4E7AB20EB46B1955C0548A5
HistoryMar 15, 2024 - 1:44 p.m.

Security Bulletin: IBM Observability with Instana is affected by Multiple Security Vulnerabilities

2024-03-1513:44:04
www.ibm.com
2
ibm observability
instana
snakeyaml
denial of service
remote code execution
vulnerability
security bulletin

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.008 Low

EPSS

Percentile

81.5%

JSON

Summary

Multiple vulnerabilities were remediated in IBM Observability with Instana build 262

Vulnerability Details

CVEID:CVE-2022-41854
**DESCRIPTION:**snakeYAML is vulnerable to a denial of service, caused by improper input validation. By persuading a victim to open a specially-crafted YAML content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240890 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-38752
**DESCRIPTION:**SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235310 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-1471
**DESCRIPTION:**SnakeYaml could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Constructor class. By using a specially-crafted yaml content, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241118 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Observability with Instana (OnPrem) Build 251 to 261

Remediation/Fixes

IBM strongly recommends addressing these vulnerabilities now by updating IBM Observability with Instana to the latest release as described here:

<https://www.ibm.com/docs/en/instana-observability/current&gt;

Workarounds and Mitigations

None

Related

nessus 26
ibm 67
cve 4
github 4
ubuntucve 3
openvas 5
redhatcve 3
redhat 35
cbl_mariner 2
osv 11
prion 4
veracode 3
debiancve 3
fedora 3
amazon 1
oraclelinux 1
f5 1
cgr 1
hackerone 1
atlassian 3
rocky 2
githubexploit 1
almalinux 1
rapid7blog 1
zdt 1
packetstorm 1
metasploit 1
thn 2
hivepro 1
gentoo 1
suse 1
qualysblog 5
nessus
nessus
Amazon Linux 2023 : snakeyaml, snakeyaml-javadoc (ALAS2023-2023-375)
2023-10-03 00:00:00
Amazon Linux 2 : snakeyaml (ALAS-2024-2450)
2024-02-06 00:00:00
RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.4.10 on RHEL 7 (RHSA-2023:1512)
2023-03-30 00:00:00
ibm
ibm
Security Bulletin: Multiple vulnerabilities in open source libraries affect IBM® Db2® Federated.
2023-12-20 20:15:14
Security Bulletin: IBM InfoSphere Information Server is affected but not classified as vulnerable to multiple vulnerabilities in snakeYAML
2023-07-14 21:40:56
Security Bulletin: Multiple Vulnerabilities related to SnakeYAML in Logstash shipped with IBM Operations Analytics - Log Analysis
2023-04-03 07:34:54
cve
cve
CVE-2022-41854
2022-11-11 13:15:00
CVE-2022-38752
2022-09-05 10:15:00
CVE-2022-1471
2022-12-01 11:15:00
github
github
snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write
2022-09-06 00:00:27
Snakeyaml vulnerable to Stack overflow leading to denial of service
2022-11-11 19:00:31
SnakeYaml Constructor Deserialization Remote Code Execution
2022-12-12 21:19:47
ubuntucve
ubuntucve
CVE-2022-38752
2022-09-05 00:00:00
CVE-2022-41854
2022-11-11 00:00:00
CVE-2022-1471
2022-12-01 00:00:00
openvas
openvas
Fedora: Security Advisory for picocli (FEDORA-2023-27ec59a486)
2023-07-08 00:00:00
Fedora: Security Advisory for snakeyaml (FEDORA-2022-c01dd659fa)
2022-12-21 00:00:00
Fedora: Security Advisory for snakeyaml (FEDORA-2022-8a4e8aa190)
2022-12-21 00:00:00
redhatcve
redhatcve
CVE-2022-41854
2022-12-09 13:34:48
CVE-2022-38752
2022-09-26 06:19:00
CVE-2022-1471
2022-12-01 15:56:23
redhat
redhat
(RHSA-2023:1513) Important: Red Hat JBoss Enterprise Application Platform 7.4.10 on RHEL 8 security update
2023-03-29 11:34:42
(RHSA-2023:1516) Important: Red Hat JBoss Enterprise Application Platform 7.4.10 security update
2023-03-29 11:42:20
(RHSA-2023:1514) Important: Red Hat JBoss Enterprise Application Platform 7.4.10 on RHEL 9 security update
2023-03-29 11:34:45
cbl_mariner
cbl_mariner
CVE-2022-41854 affecting package snakeyaml 1.25-2
2024-05-05 09:06:36
CVE-2022-38752 affecting package snakeyaml 1.25-2
2024-05-05 09:06:36
osv
osv
CVE-2022-38752
2022-09-05 10:15:09
Snakeyaml vulnerable to Stack overflow leading to denial of service
2022-11-11 19:00:31
CVE-2022-41854
2022-11-11 13:15:11
prion
prion
Stack overflow
2022-11-11 13:15:00
Stack overflow
2022-09-05 10:15:00
Deserialization of untrusted data
2022-12-01 11:15:00
veracode
veracode
Denial Of Service (DoS)
2022-11-17 12:37:25
Denial Of Service (DoS)
2022-09-06 09:31:37
Remote Code Execution (RCE)
2022-12-02 17:22:00
debiancve
debiancve
CVE-2022-41854
2022-11-11 13:15:00
CVE-2022-38752
2022-09-05 10:15:00
CVE-2022-1471
2022-12-01 11:15:00
fedora
fedora
[SECURITY] Fedora 38 Update: picocli-4.7.4-1.fc38
2023-07-06 02:19:58
[SECURITY] Fedora 36 Update: snakeyaml-1.32-1.fc36
2022-12-21 01:18:24
[SECURITY] Fedora 37 Update: snakeyaml-1.32-1.fc37
2022-12-21 01:29:20
amazon
amazon
Low: snakeyaml
2024-02-01 19:57:00
oraclelinux
oraclelinux
prometheus-jmx-exporter security update
2022-12-15 00:00:00
f5
f5
K000132638 : SnakeYAML vulnerability CVE-2022-1471
2023-02-16 00:00:00
cgr
cgr
CVE-2022-1471 vulnerabilities
2024-04-30 09:06:13
hackerone
hackerone
Kubernetes: The `io.kubernetes.client.util.generic.dynamic.Dynamics` contains a code execution vulnerability due to SnakeYAML
2022-12-15 19:07:04
atlassian
atlassian
RCE (Remote Code Execution) in - CVE-2022-1471
2023-10-08 08:44:33
RCE (Remote Code Execution) in Bitbucket Data Center and Server - CVE-2022-1471
2023-09-19 20:41:22
RCE (Remote Code Execution) in Confluence Data Center and Server - CVE-2022-1471
2023-09-11 21:13:51
rocky
rocky
prometheus-jmx-exporter security update
2022-12-15 15:08:09
Satellite 6.13 Release
2023-05-05 15:39:58
githubexploit
githubexploit
Exploit for Deserialization of Untrusted Data in Snakeyaml Project Snakeyaml
2023-03-02 16:33:02
almalinux
almalinux
Important: prometheus-jmx-exporter security update
2022-12-15 00:00:00
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up
2023-10-13 17:03:36
zdt
zdt
PyTorch Model Server Registration / Deserialization Remote Code Execution Exploit
2023-10-15 00:00:00
packetstorm
packetstorm
PyTorch Model Server Registration / Deserialization Remote Code Execution
2023-10-13 00:00:00
metasploit
metasploit
PyTorch Model Server Registration and Deserialization RCE
2023-10-12 13:27:26
thn
thn
Warning: PyTorch Models Vulnerable to Remote Code Execution via ShellTorch
2023-10-03 16:24:00
Atlassian Releases Critical Software Fixes to Prevent Remote Code Execution
2023-12-06 09:18:00
hivepro
hivepro
Atlassian Addresses Critical RCE Flaws
2023-12-07 12:45:52
gentoo
gentoo
snakeyaml: Multiple Vulnerabilities
2023-05-21 00:00:00
suse
suse
Security update for snakeyaml (important)
2022-09-26 00:00:00
qualysblog
qualysblog
Oracle Patch Update, April 2024 Security Update Review
2024-04-17 14:39:59
Oracle Patch Update, January 2024 Security Update Review
2024-01-17 15:29:33
Oracle Patch Tuesday April 2023 Security Update Review
2023-04-19 11:47:21

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.008 Low

EPSS

Percentile

81.5%

JSON
Related for 318912F89A92393350475FB081058FB1CD036033B4E7AB20EB46B1955C0548A5
nessus26ibm67cve4github4ubuntucve3openvas5redhatcve3redhat35cbl_mariner2osv11prion4veracode3debiancve3fedora3amazon1oraclelinux1f51cgr1hackerone1atlassian3rocky2githubexploit1almalinux1rapid7blog1zdt1packetstorm1metasploit1thn2hivepro1gentoo1suse1qualysblog5