Security Bulletin: IBM QRadar User Behavior Analytics uses components with known vulnerabilities (CVE-2023-44270, CVE-2023-45133)

Summary

IBM QRadar User Behavior Analytics contains vulnerable packages/components that may be identified and potentially exploited. The packages have been updated in the latest release and the vulnerabilities identified in the CVEs have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version of IBM QRadar User Behavior Analytics.

Vulnerability Details

CVEID:CVE-2023-44270
**DESCRIPTION:**PostCSS could allow a remote attacker to bypass security restrictions, caused by improper input validaiton. By using a specially crafted external Cascading Style Sheets (CSS), an attacker could exploit this vulnerability to cause \r discrepancies in linters.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/267473 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-45133
**DESCRIPTION:**Babel could allow a local attacker to execute arbitrary code on the system, caused by a flaw in the path.evaluate()or path.evaluateTruthy(). By using a specially crafted code to compile, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268647 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

IBM encourages customers to update their systems promptly.

Please follow this link to update to version 4.1.14.

Workarounds and Mitigations

None