IBM3B8ADD56F029877687BF5DB98D54EF6C7A596E3CF5F5DAB30018EEACA069E512Security Bulletin: IBM Planning Analytics Workspace is affected by vulnerabilities in multiple Open Source Software (OSS) components
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
AI Score
Confidence
High
EPSS
Percentile
33.6%
Summary
There are vulnerabilities in multiple Open Source Software (OSS) components consumed by IBM Planning Analytics Workspace. These issues have been addressed by upgrading or removing the vulnerable libraries. Please refer to the table in the Related Information section for vulnerability impact. This Security Bulletin relates only to the direct usage of third-party components by IBM Planning Analytics Workspace, and not any nested dependencies within the product.
Vulnerability Details
CVEID:CVE-2024-4067
**DESCRIPTION:**Node.js micromatch module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in micromatch.braces() in index.js. By sending a specially crafted payload, a remote attacker could exploit this vulnerability to increase the consumption time until the application hangs or slows down.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/290676 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2024-21013
**DESCRIPTION:**An unspecified vulnerability in Oracle MySQL Server related to the Server: Optimizer component could allow a remote authenticated attacker to cause high availability impact.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287988 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2024-21060
**DESCRIPTION:**An unspecified vulnerability in Oracle MySQL Server related to the Server: Data Dictionary component could allow a remote authenticated attacker to cause high availability impact.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287976 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2024-21062
**DESCRIPTION:**An unspecified vulnerability in Oracle MySQL Server related to the Server: Optimizer component could allow a remote authenticated attacker to cause high availability impact.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287974 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2024-21069
**DESCRIPTION:**An unspecified vulnerability in Oracle MySQL Server related to the Server: DDL component could allow a remote authenticated attacker to cause high availability impact.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287973 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2024-21096
**DESCRIPTION:**An unspecified vulnerability in Oracle MySQL Server related to the Client: mysqldump component could allow a local attacker to cause low confidentiality impact, low integrity impact and low availability impact.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287972 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2024-21102
**DESCRIPTION:**An unspecified vulnerability in Oracle MySQL Server related to the Server: Thread Pooling component could allow a remote authenticated attacker to cause high availability impact.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287970 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-26102
**DESCRIPTION:**Node.js rangy module is vulnerable to a denial of service, caused by a prototype pollution flaw when using the extend() function in file rangy-core.js. By sending a specially-crafted request to modify properties of the Object.prototype, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2024-4068
**DESCRIPTION:**Node.js braces module is vulnerable to a denial of service, caused by the failure to limit the number of characters it can handle. leading to a memory exhaustion in lib/parse.js. By sending imbalanced braces as input, the parsing will enter a loop causing the JavaScript heap limit to be reached, and the program will crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/290675 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
**IBM X-Force ID:**220881
**DESCRIPTION:**Voog wysihtml is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220881 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Planning Analytics | 2.1 |
| IBM Planning Analytics | 2.0 |
Remediation/Fixes
It is strongly recommended that you apply the most recent security updates:
| Affected Product(s) | Version | Fix |
|---|---|---|
| IBM Planning Analytics Local - IBM Planning Analytics Workspace | 2.1 | IBM Planning Analytics Local 2.1.5 is now available for download from Fix Central |
| IBM Planning Analytics Local - IBM Planning Analytics Workspace | 2.0 | Download IBM Planning Analytics Local v2.0: Planning Analytics Workspace Release 98 from Fix Central |
IBM Planning Analytics Workspace cloud environments have been remediated.
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | planning_analytics_local | any | cpe:2.3:a:ibm:planning_analytics_local:any:*:*:*:*:*:*:* |
| ibm | cognos_analytics_cartridge_for_ibm_cloud_pak_for_data | any | cpe:2.3:a:ibm:cognos_analytics_cartridge_for_ibm_cloud_pak_for_data:any:*:*:*:*:*:*:* |
| ibm | planning_analytics | 2.0 | cpe:2.3:a:ibm:planning_analytics:2.0:*:*:*:*:*:*:* |
| ibm | planning_analytics | any | cpe:2.3:a:ibm:planning_analytics:any:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
AI Score
Confidence
High
EPSS
Percentile
33.6%