Lucene search

K
ibmIBM3E30933282244DC9731A1B7806ABF91F65B85AED7EF3ADBCFA0F012571E9CA2E
HistoryApr 17, 2024 - 1:11 p.m.

Security Bulletin: Due to use of Postgresql JDBC, IBM Instana Observability is vulnerable to SQL injection.

2024-04-1713:11:50
www.ibm.com
10
ibm instana observability
sql injection
postgresql jdbc
cve-2024-1597
docker-based installation

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.1%

Summary

Postgresql JDBC is used by IBM Instana Observability as part of the instana-postgresql-sensor. (CVE-2024-1597). This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2024-1597
**DESCRIPTION:**PostgreSQL JDBC Driver (PgJDBC) is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283693 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Observability with Instana (OnPrem) Build 261 to 268

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by updating IBM Observability with Instana (OnPrem) to the latest release as described here:
<https://www.ibm.com/docs/en/instana-observability/current&gt;

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmobservability_with_instanaMatch261
OR
ibmobservability_with_instanaMatch268

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.1%