IBM Security Verify Information Queue 安全漏洞

IBM Security Verify Information Queue using the acronym "ISIQ" is a cross-product integrator that uses Kafka technology and a publish/subscribe model to integrate data between IBM Security products. Security Verify Information Queue is vulnerable to information disclosure in version 10.0.2. An...

Security Bulletin: A failed attempt to regenerate an IBM Security Verify Information Queue API token reveals sensitive data (CVE-2022-35288)

Summary When a malformed request to regenerate an external API token is sent to IBM Security Verify Information Queue ISIQ v10.0.2, the resulting error message reveals sensitive data. ISIQ v10.0.3 has remediated this information exposure vulnerability. CVE-2022-35288 Vulnerability Details...

Security Bulletin: IBM Security Verify Information Queue distributes configuration files with hard-coded credentials (CVE-2022-35287)

Summary IBM Security Verify Information Queue ISIQ v10.0.2 includes YAML files and property files with hard-coded credentials. ISIQ v10.0.3 has removed these files from the installation package since they are not required for product operation. CVE-2022-35287 Vulnerability Details...

Security Bulletin: Audit events query facility in IBM Security Verify Information Queue is vulnerable to SQL injection (CVE-2022-35285)

Summary The query facility in the Audit Events UI of IBM Security Verify Information Queue ISIQ v10.0.2 is vulnerable to SQL injection. This could allow an attacker to use cross-site request forgery for the purpose of executing unauthorized actions. ISIQ v10.0.3 has secured the Audit Events UI to...

Security Bulletin: Session cookie used by IBM Security Verify Information Queue is not properly secured (CVE-2022-35284)

Summary IBM Security Verify Information Queue ISIQ v10.0.2 does not set the SameSite attribute in the ISIQ session cookie. As a result, any CSRF protections offered by the attribute are disabled. ISIQ v10.0.3 is now correctly setting the SameSite attribute. CVE-2022-35284 Vulnerability Details...

CVE-2022-35285

IBM Security Verify Information Queue 10.0.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 230812...

CVE-2022-35288

IBM Security Verify Information Queue 10.0.2 could allow a user to obtain sensitive information that could be used in further attacks against the system. IBM X-Force ID: 230818...

CVE-2022-35287

IBM Security Verify Information Queue 10.0.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 230817...

CVE-2022-35284

IBM Security Verify Information Queue 10.0.2 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie. IBM X-Force ID: 230811...

The vulnerability of the Redis database management system, related to buffer overflows in the queue, allows attackers to execute arbitrary code.

The vulnerability of the Redis database management system is related to buffer overflow in the queue. Exploiting this vulnerability allows an attacker to execute arbitrary code using the X AUTOCLAIM command...

Security Bulletin: IBM Security Verify Information Queue uses an Oracle JDBC jar with multiple vulnerabilities (CVE-2019-2444, CVE-2019-2619, CVE-2017-10321, CVE-2017-10202)

Summary The connect image in IBM Security Verify Information Queue ISIQ v10.0.2 uses an older version of the Oracle JDBC jar file that has multiple vulnerabilities. ISIQ v10.0.3 upgraded its connect image to include a newer Oracle JDBC jar that remediates the vulnerabilities. CVE-2019-2444,...

Security Bulletin: IBM Security Verify Information Queue uses a Wire Schema jar with multiple vulnerabilities (CVE-2020-27853, CVE-2021-41093)

Summary The connect image in IBM Security Verify Information Queue ISIQ v10.0.2 uses an older version of the Wire Schema jar file that is vulnerable to remote attackers. ISIQ v10.0.3 upgraded its connect image to include a newer Wire Schema jar that remediates the vulnerabilities. CVE-2020-27853,...

Security Bulletin: IBM Security Verify Information Queue uses a Google gRPC framework with multiple vulnerabilities (CVE-2017-7860, CVE-2017-7861, CVE-2017-9431)

Summary The connect image in IBM Security Verify Information Queue ISIQ v10.0.2 uses an older version of the Google RPC gRPC framework that is vulnerable to denial of service and buffer overflow attacks. ISIQ v10.0.3 upgraded its connect image to include a newer gRPC level that remediates the...

Security Bulletin: Multiple vulnerabilities in IBM Security Verify Information Queue connect image (CVE-2020-9493, CVE-2022-23307)

Summary The connect image in IBM Security Verify Information Queue ISIQ v10.0.2 uses a Confluent-provided Apache Log4j library. The library includes a log-viewing component known as Chainsaw that has two deserialization flaws. ISIQ v10.0.3 upgraded its connect image to specify a newer Apache Log4...

Security Bulletin: OpenSSL vulnerabilities in the IBM Security Verify Information Queue web server (CVE-2021-3711, CVE-2021-3712)

Summary The web server in IBM Security Verify Information Queue ISIQ v10.0.2 uses an older Node.js version with two known OpenSSL vulnerabilities. ISIQ v10.0.3 upgraded to a Node.js version that includes a newer OpenSSL to remediate the vulnerabilities. CVE-2021-3711, CVE-2021-3712 Vulnerability...

CVE-2022-22209

A Missing Release of Memory after Effective Lifetime vulnerability in the kernel of Juniper Networks Junos OS allows an unauthenticated network based attacker to cause a Denial of Service DoS. On all Junos platforms, the Kernel Routing Table KRT queue can get stuck due to a memory leak triggered ...

CVE-2022-35283

IBM Security Verify Information Queue 10.0.2 could allow an authenticated user to cause a denial of service with a specially crafted HTTP request...

CVE-2022-35283

IBM Security Verify Information Queue 10.0.2 could allow an authenticated user to cause a denial of service with a specially crafted HTTP request...

CVE-2022-35283

Summary: CVE-2022-35283 affects IBM Security Verify Information Queue (ISIQ) version 10.0.2. An authenticated user can trigger a denial of service via a specially crafted HTTP request. The issue is addressed in ISIQ 10.0.3, which implements stricter URL validation to prevent this DoS. CVSS base s...

IBM Security Verify Information Queue 安全漏洞

IBM Security Verify Information Queue is an integration product from IBM USA. utilizes Kafka technology and a publish/subscribe model to integrate data between IBM Security products. A security vulnerability exists in IBM Security Verify Information Queue 10.0.2, which stems from the fact that it...