Security Bulletin: User Behavior Analytics application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Summary

The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. IBM has addressed these vulnerabilities with an update.

Vulnerability Details

CVEID:CVE-2023-41419
**DESCRIPTION:**Gevent could allow a remote attacker to gain elevated privileges on the system, caused by a flaw in the WSGIServer component. By using a specially crafted script , an attacker could exploit this vulnerability to gain elevated privileges.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/267078 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-26159
**DESCRIPTION:**follow-redirects could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/278622 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2024-29180
**DESCRIPTION:**webpack webpack-dev-middleware could allow a remote attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286153 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-31486
**DESCRIPTION:**Perl HTTP::Tiny module could provide weaker than expected security, caused by the failure to verify TLS certificates by default and requiring users to opt in to verify certificates. An attacker could exploit the vulnerability to obtain sensitive information or further compromise the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253358 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-44981
**DESCRIPTION:**Apache ZooKeeper could allow a remote attacker to bypass security restrictions, caused by a flaw when SASL Quorum Peer authentication is enabled. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass authorization and allow arbitrary endpoints to join the cluster and begin propagating counterfeit changes.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268362 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-26145
**DESCRIPTION:**Python pydash package could allow a remote attacker to execute arbitrary commands on the system, caused by a flaw in pydash.objects.invoke() and pydash.collections.invoke_map() function. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/267517 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-46751
**DESCRIPTION:**Apache Ivy could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the XML parser. By using a specially crafted XML content, a remote attacker could exploit this vulnerability to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264003 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)

CVEID:CVE-2023-25613
**DESCRIPTION:**Apache Kerby could allow a remote attacker to conduct an LDAP injection, caused by a flaw in LdapIdentityBackend. By sending a request with a specially-crafted request, an attacker could exploit this vulnerability to inject unsanitized content into the LDAP filter.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247897 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2024-22195
**DESCRIPTION:**Pallets Jinja is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the xmlattr filter. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279344 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

CVEID:CVE-2023-34453
**DESCRIPTION:**snappy-java is vulnerable to a denial of service, caused by an integer overflow in the shuffle function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258186 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-34454
**DESCRIPTION:**snappy-java is vulnerable to a denial of service, caused by an integer overflow in the compress function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258188 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-34455
**DESCRIPTION:**snappy-java is vulnerable to a denial of service, caused by the use of an unchecked chunk length in the hasNextChunk function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258190 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-13936
**DESCRIPTION:**Apache Velocity could allow a remote attacker to execute arbitrary code on the system, caused by a sandbox bypass flaw. By modifying the Velocity templates, an attacker could exploit this vulnerability to execute arbitrary code with the same privileges as the account running the Servlet container.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/197993 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-6378
**DESCRIPTION:**QOS.ch Sarl Logback is vulnerable to a denial of service, caused by a serialization flaw in the receiver component. By sending specially crafted poisoned data, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/272577 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-25647
**DESCRIPTION:**Google Gson is vulnerable to a denial of service, caused by the deserialization of untrusted data. By using the writeReplace() method, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217225 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H)

CVEID:CVE-2023-34462
**DESCRIPTION:**Netty is vulnerable to a denial of service, caused by a flaw with allocating up to 16MB of heap for each channel during the TLS handshake the SniHandler class. By sending a specially crafted client hello packet, a remote authenticated attacker could exploit this vulnerability to cause a OutOfMemoryError and so result in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258713 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-6481
**DESCRIPTION:**QOS.ch Sarl Logback is vulnerable to a denial of service, caused by a serialization flaw in the logback receiver component. By sending a specially crafted data, a local attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/273013 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

CVEID:CVE-2024-28849
**DESCRIPTION:**Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information, caused by the leakage of credentials when clearing authorization header during cross-domain redirect, but keeping the proxy-authentication header. An attacker could exploit this vulnerability to obtain credentials and other sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285690 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2017-16137
**DESCRIPTION:**Node.js debug module is vulnerable to regular expression denial of service when passing untrusted user input. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/135678 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-46234
**DESCRIPTION:**browserify browserify-sign could allow a remote attacker to bypass security restrictions, caused by an upper bound check issue in the dsaVerify function. By sending a specially crafted request, an attacker could exploit this vulnerability to perform signature forgery attack.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269796 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-22946
**DESCRIPTION:**Apache Spark could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a flaw when using spark-submit. By providing specially crafted configuration-related classes on the classpath, an authenticated attacker could exploit this vulnerability to execute arbitrary code with the privileges of the submitting user…
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/252824 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2018-17190
**DESCRIPTION:**Apache Spark could allow a remote attacker to execute arbitrary code on the system, caused by the acceptance and running of code on a master host by an unsecured standalone resource manager. If authentication is disabled, an attacker could send a specially crafted request to execute arbitrary code on the system.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/153121 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2018-11804
**DESCRIPTION:**Apache Spark Maven-based build could allow a remote attacker to obtain sensitive information, caused by the inclusion of the ‘build/mvn’ convenience script that downloads and runs a zinc server. By sending a specially crafted request to the zinc server, an attacker could exploit this vulnerability to obtain sensitive information from the build machines.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/151975 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2018-11770
**DESCRIPTION:**Apache Spark could allow a remote attacker to bypass security restrictions, caused by the exposure of REST APIs for job submission that are not controlled by authentication. An attacker could exploit this vulnerability to run a driver program without authenticating.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/148257 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-3635
**DESCRIPTION:**Okio GzipSource is vulnerable to a denial of service, caused by unhandled exception. By sending a specially crafted gzip buffer, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260866 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

IBM encourages customers to update their systems promptly.

Upgrade to version 4.1.16.

Workarounds and Mitigations

None