Security Bulletin: IBM QRadar SIEM on Azure Cloud deployed from Azure Marketplace is vulnerable to remote code execution (CVE-2024-21334)

Summary

IBM QRadar SIEM on Azure Cloud deployed from Azure Marketplace is vulnerable to a remote code execution issue found within the Microsoft Open Management Infrastructure (OMI). The information below shows how to remove this vulnerable component.

Vulnerability Details

CVEID:CVE-2024-21334
**DESCRIPTION:**Microsoft Open Management Infrastructure could allow a remote attacker to execute arbitrary code on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/284519 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

Users who installed QRadar from the Azure Marketplace prior to 7.5.0 may find vulnerable versions of OMI on their QRadar deployment. This package can be safely removed to remediate the vulnerability.

Removing the OMI package will remove its dependencies – omsagent, omsconfig, and scx. It is safe uninstall these dependencies.

To confirm if your install is affected, run the following command:

rpm -qa | grep -i omi

If this command returns the OMI package, ex: omi-1.6.3-0.x86-64 you can remove it with the following command including the dependencies omsagent, omsconfig, and scx:

yum remove omi

You can verify the package is removed by running the following command and verifying that the OMI package is no longer found:

rpm -qa | grep -i omi

No service restart or deploy is required because OMI packages are independent of QRadar.

Workarounds and Mitigations

None