Learn about the crucial role of timely patch management in preventing vulnerabilities and securing your clients' IT infrastructure.

Risks:

Patch Management, Web App/Website Vulnerability, Other: Prototype Pollution

Keywords:

IBM, RCE, Data Virtualization Manager, Security SOAR, Vulnerability, Patch Management, CVE-2024-52899, CVE-2024-45801

CVE:

CVE-2024-52899; CVE-2024-45801; CVE-2024-49353; CVE-2024-6119

Affected:

Data Virtualization Manager, Security SOAR, Watson Speech Services Cartridge for Cloud Pak for Data, OpenSSL, Engineering Lifecycle Management, IBM Workload Scheduler, Watson Query, Db2 Big SQL on Cloud Pak for Data

 

IBM Patches Critical Vulnerabilities Across Multiple Products

IBM has issued patches to address several vulnerabilities across its product suite, focusing on two high-severity remote code execution (RCE) flaws. These vulnerabilities, if exploited, could allow attackers to execute arbitrary code on affected systems, posing significant security risks.

Remote Code Execution Vulnerabilities

1. Data Virtualization Manager for z/OS:
2. Vulnerability: Identified as CVE-2024-52899 with a CVSS score of 8.5.
3. Description: This flaw allows remote, authenticated attackers to inject malicious JDBC URL parameters. This could lead to arbitrary code execution on the server hosting the Data Virtualization Manager.

4. Resolution: IBM has released fix packs for versions 1.1 and 1.2 of the Data Virtualization Manager for z/OS. Detailed instructions for downloading and applying these fixes are provided in IBM's advisory.

5. Security SOAR:

6. Vulnerability: Known as CVE-2024-45801 with a CVSS score of 7.3.
7. Description: This prototype pollution vulnerability can be exploited via the DOMPurify component in the user interface. Attackers can modify properties of Object.prototype using specific payloads, leading to arbitrary code execution or denial-of-service conditions.
8. Resolution: Patches have been made available to mitigate this risk.

Other High-Severity Vulnerabilities

• Watson Speech Services Cartridge for Cloud Pak for Data:
• Vulnerability: CVE-2024-49353.
• Impact: This flaw could cause the system to crash, affecting its availability.

• Resolution: Patches have been released to address this issue.

• OpenSSL in Data Observability by Databand:

• Vulnerability: CVE-2024-6119.
• Impact: This denial-of-service (DoS) vulnerability can disrupt system operations.
• Resolution: IBM has provided fixes to eliminate this vulnerability.

Medium and Low-Severity Vulnerabilities

IBM has also addressed several medium- and low-severity vulnerabilities in its Engineering Lifecycle Management tools. These issues could lead to cross-site scripting (XSS) attacks, unauthorized dashboard modifications, or the recovery of plaintext administrative credentials through network sniffing. Additionally, IBM Workload Scheduler was found to store user credentials in plaintext, and session expiration weaknesses in Watson Query and Db2 Big SQL on Cloud Pak for Data could expose sensitive information to authenticated attackers.

IBM's proactive approach in issuing these patches highlights the importance of regular patch management in maintaining robust cybersecurity defenses. Users and administrators are encouraged to apply these updates promptly to safeguard their systems against potential exploits.

 

Read More

https://www.securityweek.com/ibm-patches-rce-vulnerabilities-in-data-virtualization-manager-security-soar/