Security Advisory

Security update advisories for IBM products (IBM Cognos Analytics, IBM Aspera Console, etc.)

  • Feb 26 2024

Overview

 

An update has been made available to fix vulnerabilities in the IBM family of products. Users of affected versions are advised to update to the latest version.

 

Affected Products

 

CVE-2023-39410, CVE-2018-8032, CVE-2014-3596, CVE-2012-5784, CVE-2019-0227, CVE-2022-34169, CVE-2021-43138, CVE-2023-36478, CVE-2023-44487, CVE-2021-35560, CVE-2021-35586, CVE-2021-35578, CVE-2021-35564, CVE-2021-35559, CVE-2021-35556, CVE-2021-35565, CVE-2021-35588, CVE-2021-41035, CVE-2021-35550, CVE-2021-35603, CVE-2022-21496, CVE-2022-21434, CVE-2022-21443, CVE-2022-21299, CVE-2021-28167, CVE-2023-21930, CVE-2023-21967, CVE-2023-21954, CVE-2023-21939, CVE-2023-21968, CVE-2023-21937, CVE-2023-21938, CVE-2023-2597, CVE-2023-22049, CVE-2021-31684, CVE-2023-1370, CVE-2023-30588, CVE-2023-30589, CVE-2023-45857, CVE-2020-28458, CVE-2021-23445, CVE-2021-44906, CVE-2023-26115, CVE-2023-0215, CVE-2023-0464, CVE-2023-3817, CVE-2019-1547, CVE-2020-1971, CVE-2021-23839, CVE-2021-23840, CVE-2021-23841, CVE-2021-3449, CVE-2021-3711, CVE-2021-3712, CVE-2021-4160, CVE-2022-0778, CVE-2022-2097, CVE-2022-40897, CVE-2021-3572, CVE-2023-26136, CVE-2022-41854, CVE-2022-1471, CVE-2022-34357, CVE-2023-30996, CVE-2023-32344, CVE-2023-38359, CVE-2023-43051

  • IBM Cognos Analytics 11.1.7 version
  • IBM Cognos Analytics 11.2.4 version
  • IBM Cognos Analytics 12.0.0 version

 

CVE-2022-37436, CVE-2021-34798

  • IBM Aspera Console 3.4.0 – 3.4.2 PL4 versions

 

CVE-2024-25021, CVE-2023-47038, CVE-2023-47100

  • AIX 7.3 versions of perl.rte from 5.34.0.0 through 5.34.1.5
  • Versions of perl.rte 5.34.0.0 through 5.34.1.5 on VIOS 4.1

 

CVE-2022-21426, CVE-2022-34169, CVE-2022-40609, CVE-2022-4203, CVE-2022-4450, CVE-2022-0778, CVE-2022-1471, CVE-2022-40897, CVE-2023-0215, CVE-2023-0216, CVE-2023-0217, CVE-2023-0401, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466, CVE-2023-21830, CVE-2023-21843, CVE-2023-21930, CVE-2023-21937, CVE-2023-21938, CVE-2023-21939, CVE-2023-21967, CVE-2023-21968, CVE-2023-21967, CVE-2023-21968, CVE-2023-21967, CVE-2023-21967, CVE-2023-21968, CVE-2023-21967, CVE-2023-21968, CVE-2023-21967, CVE-2023-21968, CVE-2023-21967, CVE-2023-21968, CVE-2023-21967, CVE-2023-21968, CVE-2023-21967, CVE-2023-21968, CVE-2023-21967, CVE-2023-21968, CVE-2023-2597, CVE-2023-2650, CVE-2023-3817, CVE-2023-3446, CVE-2023-36478, CVE-2023-43051, CVE-2023-45857, CVE-2023-46152

  • IBM Cognos Transformer version 11.1.7

 

CVE-2023-22081, CVE-2023-5676

  • IBM Sterling Connect:Direct for UNIX 6.0.0.0 – 6.0.0.2.iFix161 version
  • IBM Sterling Connect:Direct for UNIX 6.1.0.0 – 6.1.0.4.iFix102 versions
  • IBM Sterling Connect:Direct for UNIX 6.2.0.0 – 6.2.0.7.iFix004 versions
  • IBM Sterling Connect:Direct for UNIX 6.3.0.0 – 6.3.0.2.iFix004 versions

 

CVE-2023-34054, CVE-2023-34062, CVE-2024-22319, CVE-2023-34055, CVE-2024-22320

  • IBM Operational Decision Manager 8.10.3 version
  • IBM Operational Decision Manager 8.10.4 Versions
  • IBM Operational Decision Manager 8.10.5.1 Versions
  • IBM Operational Decision Manager 8.11.0.1 version
  • IBM Operational Decision Manager 8.11.1 version
  • IBM Operational Decision Manager 8.12.0.1 version

 

CVE-2023-51385

  • IBM i Version 7.2
  • IBM i 7.3 Versions
  • IBM i Version 7.4
  • IBM i Version 7.5

 

Resolved Vulnerabilities

 

Denial of service vulnerability in the indexOf function in netplex JSON Smart (CVE-2021-31684)
vulnerability in netplex json-smart-v2 not restricting nesting of arrays or objects (CVE-2023-1370)
Denial of service vulnerability due to exponential resource usage in certificate chains involving OpenSSL’s policy constraints related to X.509 certificate chain validation (CVE-2023-0464)
Vulnerabilities related to the JSSE component of Java SE that could allow an unauthenticated attacker to obtain sensitive information using an unknown attack vector (CVE-2021-35550, CVE-2021-35578, CVE-2021-35565)
System control possible vulnerability for unauthenticated attackers related to the Deployment component in Java SE (CVE-2021-35560)
Denial of service vulnerability related to the ImageIO component in Java SE (CVE-2021-35586)
Unspecified vulnerability related to the Keytool component in Java SE (CVE-2021-35564)
Denial of Service Vulnerability Related to the Swing Component in Java SE (CVE-2021-35559, CVE-2021-35556)
Denial of Service Vulnerability related to VM Components in Java SE (CVE-2021-35588)
Elevation of privilege and arbitrary code execution vulnerability due to running a specially crafted program under the security manager in Eclipse Openj9 (CVE-2021-41035)
Arbitrary code execution vulnerability due to prototype taint in the setKey() function of the index.js script in the Node.js Minimalist module (CVE-2021-44906)
A flaw in the jdk.internal.reflect.ConstantPool API in Eclipse Openj9 allows access to a static member without calling a static method or executing a class initialization method (CVE-2021-28167)
Cross-site scripting vulnerability in IBM Cognos Analytics (CVE-2023-38359)
Form Action Abort Vulnerability in IBM Cognos Analytics (CVE-2023-32344)
Denial of Service Vulnerability Involving the JAXP Component in Java SE (CVE-2022-21299)
Information leakage vulnerability due to an unverified source in messages sent between Windows objects from different sources in IBM Cognos Analytics (CVE-2023-30996)
Unspecified vulnerability related to the JNDI component in Java SE (CVE-2022-21496)
Undefined vulnerability related to a library component in Java SE (CVE-2022-21434)
Denial of Service vulnerability related to a library component in Java SE (CVE-2022-21443)
Denial of Service Vulnerability due to a flaw when verifying DH keys or DH parameters using the DH_check(), DH_check_ex(), or EVP_PKEY_param_check() functions in OpenSSL (CVE-2023-3817)
Insecure deserialization flaw in the Apache Avro Java SDK allows remote authenticated attackers to execute arbitrary code on the system (CVE-2023-39410)
Vulnerability to execute arbitrary code on the system due to a prototype taint flaw in the Node.js datatables.net module (CVE-2020-28458)
cross-site scripting vulnerability in datatables.net (CVE-2021-23445)
Arbitrary code execution vulnerability on the system due to mishandling of cookies when using CookieJar in rejectPublicSuffixes=false mode in Salesforce tough-cookie, resulting in a prototype taint flaw (CVE-2023-26136)
Security restriction bypass vulnerability due to incorrect handling of Unicode delimiters in git references in the pip package in Python (CVE-2021-3572)
Undefined vulnerabilities in the JSSE component of Oracle Java SE and GraalVM Enterprise Edition (CVE-2023-21930, CVE-2023-21967)
Undefined vulnerability in the Hotspot component in Oracle Java SE and GraalVM Enterprise Edition (CVE-2023-21954)
Undefined vulnerability in the Swing component in Oracle Java SE and GraalVM Enterprise Edition (CVE-2023-21939)
Undefined Vulnerability in the Library Component in Oracle Java SE and GraalVM Enterprise Edition (CVE-2023-21968)
Undefined vulnerability in the Networking component in Oracle Java SE and Oracle GraalVM Enterprise Edition (CVE-2023-21937)
Undefined vulnerability in the Libraries component in Oracle Java SE and Oracle GraalVM Enterprise Edition (CVE-2023-21938)
Buffer overflow vulnerability due to improper boundary checking in the getCachedUTFString() function in Eclipse Openj9 (CVE-2023-2597)
Apache Axis suffers from an XSS vulnerability due to incorrect validation of user-supplied input in the default servlet/services (CVE-2018-8032)
Apache Axis and Axis2 X.509 certificates in the Common Name (CN) field of the subject in Apache Axis 1.4 X.509 certificates due to incomplete fix that does not verify that the server hostname matches (CVE-2014-3596) Apache Axis 1.4 X.509 certificates in the Common Name (CN) field of the subject in Apache Axis 2 X.509 certificates due to incomplete fix that does not verify that the server hostname matches (CVE-2012-5784)
Server-side request forgery vulnerability due to an expired hard-coded domain in the default example service named StockQuoteService.jws in Apache Axis (CVE-2019-0227)
Denial of service vulnerability due to lack of request rate limiting in IBM Cognos Analytics Mobile Server (CVE-2022-34357)
Denial of Service Vulnerability due to Invalid Public Key Information in x509 Certificates in Node.js (CVE-2023-30588)
HTTP Request Smishing Vulnerability in Node.js (CVE-2023-30589)
Vulnerability that could allow EC groups to be configured using explicit parameters instead of named curves in OpenSSL (CVE-2019-1547)
Denial of Service Vulnerability due to NULL pointer dereference in OpenSSL (CVE-2020-1971)
SSLv2 rollback protection in OpenSSL could provide weaker security if incorrect (CVE-2021-23839)
Denial of Service Vulnerability due to an integer overflow in CipherUpdate in OpenSSL (CVE-2021-23840)
Denial of Service Vulnerability due to NULL pointer dereference in the X509_issuer_and_serial_hash() function in OpenSSL (CVE-2021-23841)
Denial of Service Vulnerability due to NULL pointer dereference in OpenSSL’s handling of signature_algorithms (CVE-2021-3449)
Buffer overflow vulnerability due to improper boundary checking in the EVP_PKEY_decrypt() function inside the implementation of SM2 decryption in OpenSSL (CVE-2021-3711)
Denial of Service Vulnerability due to out-of-bounds reads when handling ASN.1 strings in OpenSSL (CVE-2021-3712)
Vulnerability due to a carry propagation flaw in MIPS32 and MIPS64 squaring procedures in OpenSSL (CVE-2021-4160)
OpenSSL is prone to a denial of service vulnerability due to a flaw in the BN_mod_sqrt() function (CVE-2022-0778)
OpenSSL improperly encrypted data on 32-bit x86 platforms using AES OCB mode, allowing sensitive information to be stolen (CVE-2022-2097)
Vulnerability that could allow access to sensitive information related to the JSSE component in Java SE (CVE-2021-35603)
Regular expression denial of service vulnerability in the result variable of the word-wrap module in Node.js (CVE-2023-26115)
Async is vulnerable to arbitrary code execution due to prototype corruption in the mapValues() method (CVE-2021-43138)
SnakeYaml is vulnerable to arbitrary code execution due to insecure serialization of the Constructor class (CVE-2022-1471)
Denial of Service Vulnerability due to an integer overflow and buffer allocation in MetaDataBuilder.checkSize in Eclipse Jetty (CVE-2023-36478)
Denial of service vulnerability due to a flaw in handling multiplexed streams in the HTTP/2 protocol (CVE-2023-44487)
Denial of service vulnerability due to incorrect input validation in Pypa Setuptools (CVE-2022-40897)
Arbitrary code execution vulnerability due to an integer truncation issue when handling malicious XSLT stylesheets in the Apache Xalan Java XSLT library (CVE-2022-34169)
denial of service vulnerability due to malformed input validation in snakeYAML (CVE-2022-41854)
Denial of Service Vulnerability due to a use-after-free error in streaming ASN.1 data handling in the BIO_new_NDEF function in OpenSSL (CVE-2023-0215)
XSS vulnerability in IBM Cognos Analytics (CVE-2023-43051)
Integrity-affecting vulnerability related to the Libraries component in Java SE (CVE-2023-22049)
CSRF vulnerability due to incorrect validation of user-supplied input in Axios (CVE-2023-45857)
HTTP response splitting attack vulnerability due to malicious backend usage in Apache HTTP Server mod_proxy (CVE-2022-37436)
Denial of Service Vulnerability due to NULL pointer dereference in the httpd core of Apache HTTP Server (CVE-2021-34798)
Perl in IBM AIX allows unprivileged local users to execute arbitrary commands (CVE-2024-25021)
heap-based buffer overflow vulnerability due to improper boundary checking by a user-defined Unicode attribute (CVE-2023-47038)
security restriction bypass vulnerability due to remote attacker improper handling of property names in the S_parse_uniprop_string function in regcomp.c (CVE-2023-47100)
Security restriction bypass vulnerability due to a flaw in the X509_VERIFI_PARAM_add0_policy function in OpenSSL (CVE-2023-0466)
Security Restriction Bypass Vulnerability due to a flaw in OpenSSL when verifying certificates using non-default options (CVE-2023-0465)
Denial of Service Vulnerability in Java SE related to the JAXP component (CVE-2022-21426)
Denial of Service Vulnerability due to a flaw when using OpenSSL’s OBJ_obj2txt() directly or when using the OpenSSL subsystems OCSP, PKCS7/SMIE, CMS, CMP/CRMF, or TS without a message size limit (CVE-2023-2650)
unspecified vulnerability in Java SE related to serialization components (CVE-2023-21830)
Denial of Service Vulnerability in OpenSSL due to a flaw when checking DH keys or DH parameters using the DH_check(), DH_check_ex(), or EVP_PKEY_param_check() functions (CVE-2023-3446)
Unspecified vulnerability in Java SE related to the Sound component (CVE-2023-21843)
IBM SDK, Java Technology Editions 7.1.5.18 and 8.0.8.0 have an arbitrary code execution vulnerability due to an insecure parallelization flaw (CVE-2022-40609)
OpenSSL Denial of Service Vulnerability due to malformed pointer references related to malformed PKCS7 data handling (CVE-2023-0216)
OpenSSL Denial of Service Vulnerability due to NULL pointer dereferencing during PKCS7 data verification (CVE-2023-0401)
Denial of Service Vulnerability in OpenSSL due to a read buffer overrun triggered by improper handling of X.509 certificate verification (CVE-2022-4203)
Denial of service vulnerability due to NULL pointer dereference related to validation of certain DSA public keys in OpenSSL (CVE-2023-0217)
Unspecified vulnerability in Java SE related to JSSE components (CVE-2023-22081)
Denial of Service Vulnerability in Eclipse OpenJ9 (CVE-2023-5676)
Denial of Service Vulnerability in VMware Tanzu Reactor Netty (CVE-2023-34054)
Traversal of system directory due to improper validation of user requests in VMware Tanzu Reactor Netty (CVE-2023-34062)
Remote code execution vulnerability via JNDI injection when passing unvalidated arguments to certain APIs in IBM Operational Decision Manager (CVE-2024-22319)
Denial of service vulnerability due to a flaw when an application uses Spring MVC or Spring WebFlux or org.springframework.boot:spring-boot-actuator in the classpath, occurring in VMware Tanzu Spring Boot (CVE-2023-34055)
Insecure parallelism in IBM Operational Decision Manager could allow remote authentication attackers to execute arbitrary code on the system (CVE-2024-22320)
Vulnerability in OpenSSH that allows remote attackers to execute arbitrary commands due to incorrect validation of shell metacharacters (CVE-2023-51385)

 

Vulnerability Patches

 

Vulnerability patches were made available in the February 23, 2024 update. Please update to the latest vulnerability patch version as described in the reference site.

CVE-2023-39410, CVE-2018-8032, CVE-2014-3596, CVE-2012-5784, CVE-2019-0227, CVE-2022-34169, CVE-2021-43138, CVE-2023-36478, CVE-2023-44487, CVE-2021-35560, CVE-2021-35586, CVE-2021-35578, CVE-2021-35564, CVE-2021-35559, CVE-2021-35556, CVE-2021-35565, CVE-2021-35588, CVE-2021-41035, CVE-2021-35550, CVE-2021-35603, CVE-2022-21496, CVE-2022-21434, CVE-2022-21443, CVE-2022-21299, CVE-2021-28167, CVE-2023-21930, CVE-2023-21967, CVE-2023-21954, CVE-2023-21939, CVE-2023-21968, CVE-2023-21937, CVE-2023-21938, CVE-2023-2597, CVE-2023-22049, CVE-2021-31684, CVE-2023-1370, CVE-2023-30588, CVE-2023-30589, CVE-2023-45857, CVE-2020-28458, CVE-2021-23445, CVE-2021-44906, CVE-2023-26115, CVE-2023-0215, CVE-2023-0464, CVE-2023-3817, CVE-2019-1547, CVE-2020-1971, CVE-2021-23839, CVE-2021-23840, CVE-2021-23841, CVE-2021-3449, CVE-2021-3711, CVE-2021-3712, CVE-2021-4160, CVE-2022-0778, CVE-2022-2097, CVE-2022-40897, CVE-2021-3572, CVE-2023-26136, CVE-2022-41854, CVE-2022-1471, CVE-2022-34357, CVE-2023-30996, CVE-2023-32344, CVE-2023-38359, CVE-2023-43051

  • IBM Cognos Analytics 11.1.7 Fix Pack 8 Version
  • IBM Cognos Analytics 11.2.4 FP3 version
  • IBM Cognos Analytics 12.0.2 version

 

CVE-2022-37436, CVE-2021-34798

  • IBM Aspera Console 3.4.2 PL7 version

 

CVE-2024-25021, CVE-2023-47038, CVE-2023-47100

  • see the ‘Remediation/Fixes’ section of the reference site [3]

 

CVE-2022-21426, CVE-2022-34169, CVE-2022-40609, CVE-2022-4203, CVE-2022-4450, CVE-2022-0778, CVE-2022-1471, CVE-2022-40897, CVE-2023-0215, CVE-2023-0216, CVE-2023-0217, CVE-2023-0401, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466, CVE-2023-21830, CVE-2023-21843, CVE-2023-21930, CVE-2023-21937, CVE-2023-21938, CVE-2023-21939, CVE-2023-21967, CVE-2023-21968, CVE-2023-21967, CVE-2023-21968, CVE-2023-21967, CVE-2023-21967, CVE-2023-21968, CVE-2023-21967, CVE-2023-21968, CVE-2023-21967, CVE-2023-21968, CVE-2023-21967, CVE-2023-21968, CVE-2023-21967, CVE-2023-21968, CVE-2023-21967, CVE-2023-21968, CVE-2023-21967, CVE-2023-21968, CVE-2023-2597, CVE-2023-2650, CVE-2023-3817, CVE-2023-3446, CVE-2023-36478, CVE-2023-43051, CVE-2023-45857, CVE-2023-46152

  • IBM Cognos Analytics 11.1.7 Fix Pack 8 Version

 

CVE-2023-22081, CVE-2023-5676

  • IBM Sterling Connect:Direct for UNIX 6.0.0.2.iFix162 version
  • IBM Sterling Connect:Direct for UNIX 6.1.0.4.iFix103 version
  • IBM Sterling Connect:Direct for UNIX 6.2.0.7.iFix005 version
  • IBM Sterling Connect:Direct for UNIX 6.3.0.2.iFix005 version

 

CVE-2023-34054, CVE-2023-34062, CVE-2024-22319, CVE-2023-34055, CVE-2024-22320

  • see the ‘Remediation/Fixes’ section of the reference site [6]

 

CVE-2023-51385

  • see the ‘Remediation/Fixes’ section of the reference site [7]

 

Referenced Sites

 

[1] Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities
https://www.ibm.com/support/pages/node/7123154
[2] Security Bulletin: IBM Aspera Console 3.4.2 PL7 has addressed multiple vulnerabilities (CVE-2022-37436, CVE-2021-34798)
https://www.ibm.com/support/pages/node/7122989
[3] Security Bulletin: AIX is vulnerable to arbitrary command execution due to Perl (CVE-2024-25021, CVE-2023-47038, CVE-2023-47100)
https://www.ibm.com/support/pages/node/7122628
[4] Security Bulletin: IBM Cognos Transformer is affected by security vulnerabilities
https://www.ibm.com/support/pages/node/7112541
[5] Security Bulletin: IBM Sterling Connect:Direct for UNIX is vulnerable to an unspecified vulnerability and denial of service due to IBM Runtime Environment Java Technology Edition
https://www.ibm.com/support/pages/node/7123275
[6] Security Bulletin: IBM Operational Decision Manager for January 2024 – Multiple CVEs addressed
https://www.ibm.com/support/pages/node/7112382
[7] Security Bulletin: OpenSSH for IBM i is vulnerable to an attacker executing arbitrary commands due to improper validation. [CVE-2023-51385]
https://www.ibm.com/support/pages/node/7123159 

Tags:

Previous Post

Next Post