Security Bulletin: IBM Security Verify Governance is vulnerable to arbitrary code execution, sensitive information exposure and unauthorized access due to PostgreSQL

Summary

IBM Security Verify Governance is vulnerable to arbitrary code execution, sensitive information exposure and unauthorized access due to vulnerabilities in PostgreSQL JAR (CVE-2022-26520, CVE-2022-21724, CVE-2020-13692, CVE-2022-31197, 220313). The fix involves upgrading the PostgreSQL JAR to the patched version.

Vulnerability Details

CVEID:CVE-2022-26520
**DESCRIPTION:**pgjdbc could allow a remote attacker to execute arbitrary code on the system, caused by the external control of the java.util.logging.FileHandler component. By sending a specially-crafted request using the loggerFileName connection parameter, an attacker could exploit this vulnerability to create an executable JSP file under a Tomcat web root. Note: the vendor’s position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222890 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-21724
**DESCRIPTION:**PostgreSQL JDBC Driver (PgJDBC) could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unchecked class instantiation when providing plugin classes. By sending a specially-crafted request using the “authenticationPluginClassName”, “sslhostnameverifier”, “socketFactory”, “sslfactory”, “sslpasswordcallback” classes, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/218798 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVEID:CVE-2020-13692
**DESCRIPTION:**PostgreSQL JDBC Driver could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By sending specially crafted XML data, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183018 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-31197
**DESCRIPTION:**PostgreSQL is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to PGJDBC implementation of the java.sql.ResultRow.refreshRow() method, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/232820 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

**IBM X-Force ID:**220313
**DESCRIPTION:**PostgreSQL JDBC Driver could allow a remote attacker to gain unauthorized access to the system, caused by the exposure of the connection properties for configuring a pgjdbc connection. By specifying arbitrary connection properties, a remote attacker could exploit this vulnerability to gain unauthorized access to the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220313 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

Affected Product(s)

|

Version(s)

|

First Fix

—|—|—

IBM Security Verify Governance

|

10.0.1

|

10.0.1.0-ISS-ISVG-IGVA-FP0003

Workarounds and Mitigations

None