Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
IBM Squashes Critical Remote Code-Execution Flaw
#1
A critical-severity buffer-overflow flaw that affects IBM Integration Designer could allow remote attackers to execute code.

 
IBM has patched a critical buffer-overflow error that affects Big Blue’s Integration Designer toolset, which helps enterprises create business processes that integrate ap
 
The flaw (CVE-2020-27221) has a CVSS base score of 9.8 out of 10, making it critical in severity. It stems from an issue in versions 7 and 8 of Java Runtime Environment (JRE), which is used by IBM Integration Designer toolset.
 
JRE is a software layer that runs on top of a computer’s operating system (OS), and enables Java to run seamlessly on any system regardless of its OS.
What is a Buffer-Overflow Flaw?
The flaw is a stack-based buffer-overflow error. This is a class of vulnerability where the region of a process’ memory that’s used to store dynamic variables (the heap) can be overwhelmed.
“By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash,” according to IBM’s Monday [color=var(--theme-link_a)]security advisory
.
 
The error exists when the virtual machine (VM) or Java Native Interface converts characters from UTF-8 to platform encoding. Java Native Interface is a programming framework that enables Java code running in a Java VM to call native applications and libraries written in other languages.
 
IBM didn’t provide further information about what type of privileges an attacker would need, where they would need to send the string or the initial attack vector.
IBM Integration Designer Affected
Specifically, CVE-2020-27221 exists in Eclipse OpenJ9, a high-performance, scalable, Java VM implementation that is fully compliant with JRE.
“Contributed to the Eclipse foundation by IBM, the OpenJ9 JVM underpins the IBM SDK, Java Technology Edition, which is a core component of many IBM Enterprise software products,” [color=var(--theme-link_a)]according to IBM[/color].
 
IBM Integration Designer versions 8.5.7, 19.0.0.2, 20.0.0.1 and 20.0.0.2, which use JRE versions 7 and 8, are affected. The vulnerability was first reported on Dec. 16 via the [color=var(--theme-link_a)]Eclipse Foundation[/color], which is a global community of Eclipse open source software development members. A fix can be found here for [color=var(--theme-link_a)]each affected version[/color] of IBM Integration Designer.
 
Another vulnerability (CVE-2020-14782) was fixed, stemming from the JRE implementation in IBM Integration Designer. This “unspecified” vulnerability existed in Java SE and was related to the Libraries component. However, [color=var(--theme-link_a)]according to IBM[/color] it had “no confidentiality impact, low integrity impact and no availability impact.”
IBM Planning Analytics Workspace High-Severity Flaws
IBM also patched a slew of high-severity flaws in its IBM Planning Analytics Workspace; a web-based interface for IBM Planning Analytics that provides an interface to create and analyze content. The flaws exist specifically in Release 61 of the Local v2.0 for Planning Analytics Workspace.
 
Three vulnerabilities exist in Node.js, an open-source, cross-platform JavaScript runtime environment for developing server-side and networking applications, which is used in IBM Planning Analytics. These flaws include a denial-of-service vulnerability ([color=var(--theme-link_a)]CVE-2020-8251[/color]); an  HTTP request-smuggling glitch ([color=var(--theme-link_a)]CVE-2020-8201[/color]); and a buffer-overflow error ([color=var(--theme-link_a)]CVE-2020-8252[/color]).
 
Another flaw ([color=var(--theme-link_a)]CVE-2020-25649[/color]) exists in the FasterXML Jackson Databind, used to convert JSON to and from Plain Old Java Object (POJO) using property accessor or using annotations.
 
The flaw “could provide weaker than expected security, caused by not having entity expansion secured properly,” according to IBM. “A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity.”
IBM Continues Security-Flaw Fix Campaign
IBM previously issued various fixes for vulnerabilities, including [color=var(--theme-link_a)]ones in Spectrum Protect Plus in September[/color]. This is Big Blue’s security tool that’s found under the umbrella of its Spectrum data storage software branding. The flaws could be exploited by remote attackers to execute code on vulnerable systems.
 
In August, a shared-memory flaw was discovered in [color=var(--theme-link_a)]IBM’s next-gen data-management software[/color] that researchers said could lead to other threats — as demonstrated by a new proof-of-concept exploit for the bug.
 
And in April, four serious security vulnerabilities in [color=var(--theme-link_a)]the IBM Data Risk Manager[/color] (IDRM) were identified that can lead to unauthenticated remote code execution (RCE) as root in vulnerable versions, according to analysis – and a proof-of-concept exploit is available.
[/color]

Source
Reply


Messages In This Thread
IBM Squashes Critical Remote Code-Execution Flaw - by Bjyda - 02-24-2021 , 11:37 PM

Possibly Related Threads…
Thread Author Replies Views Last Post
  Vulnerabilities in WatchGuard, Panda Security Products Lead to Code Execution mrtrout 0 663 02-04-2024 , 06:49 AM
Last Post: mrtrout
  VMware warns of critical vRealize flaw exploited in attacks mrtrout 0 566 06-21-2023 , 02:00 AM
Last Post: mrtrout
  PyPI removes 'mitmproxy2' over code execution concerns mrtrout 0 702 10-12-2021 , 10:43 PM
Last Post: mrtrout
  "git clone" Hit By Vulnerability That Could Lead To Code Execution Bjyda 0 1,293 03-11-2021 , 10:30 PM
Last Post: Bjyda
  Adobe Patches Code Execution Flaws in Connect, Creative Cloud, Framemaker Bjyda 0 1,214 03-10-2021 , 12:14 AM
Last Post: Bjyda



Users browsing this thread: 1 Guest(s)