02-24-2021 , 11:37 PM
A critical-severity buffer-overflow flaw that affects IBM Integration Designer could allow remote attackers to execute code.
IBM has patched a critical buffer-overflow error that affects Big Blue’s Integration Designer toolset, which helps enterprises create business processes that integrate ap
The flaw (CVE-2020-27221) has a CVSS base score of 9.8 out of 10, making it critical in severity. It stems from an issue in versions 7 and 8 of Java Runtime Environment (JRE), which is used by IBM Integration Designer toolset.
JRE is a software layer that runs on top of a computer’s operating system (OS), and enables Java to run seamlessly on any system regardless of its OS.
What is a Buffer-Overflow Flaw?
The flaw is a stack-based buffer-overflow error. This is a class of vulnerability where the region of a process’ memory that’s used to store dynamic variables (the heap) can be overwhelmed.
“By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash,” according to IBM’s Monday [color=var(--theme-link_a)]security advisory.
The error exists when the virtual machine (VM) or Java Native Interface converts characters from UTF-8 to platform encoding. Java Native Interface is a programming framework that enables Java code running in a Java VM to call native applications and libraries written in other languages.
IBM didn’t provide further information about what type of privileges an attacker would need, where they would need to send the string or the initial attack vector.
IBM Integration Designer Affected
Specifically, CVE-2020-27221 exists in Eclipse OpenJ9, a high-performance, scalable, Java VM implementation that is fully compliant with JRE.
“Contributed to the Eclipse foundation by IBM, the OpenJ9 JVM underpins the IBM SDK, Java Technology Edition, which is a core component of many IBM Enterprise software products,” [color=var(--theme-link_a)]according to IBM[/color].
IBM Integration Designer versions 8.5.7, 19.0.0.2, 20.0.0.1 and 20.0.0.2, which use JRE versions 7 and 8, are affected. The vulnerability was first reported on Dec. 16 via the [color=var(--theme-link_a)]Eclipse Foundation[/color], which is a global community of Eclipse open source software development members. A fix can be found here for [color=var(--theme-link_a)]each affected version[/color] of IBM Integration Designer.
Another vulnerability (CVE-2020-14782) was fixed, stemming from the JRE implementation in IBM Integration Designer. This “unspecified” vulnerability existed in Java SE and was related to the Libraries component. However, [color=var(--theme-link_a)]according to IBM[/color] it had “no confidentiality impact, low integrity impact and no availability impact.”
IBM Planning Analytics Workspace High-Severity Flaws
IBM also patched a slew of high-severity flaws in its IBM Planning Analytics Workspace; a web-based interface for IBM Planning Analytics that provides an interface to create and analyze content. The flaws exist specifically in Release 61 of the Local v2.0 for Planning Analytics Workspace.
Three vulnerabilities exist in Node.js, an open-source, cross-platform JavaScript runtime environment for developing server-side and networking applications, which is used in IBM Planning Analytics. These flaws include a denial-of-service vulnerability ([color=var(--theme-link_a)]CVE-2020-8251[/color]); an HTTP request-smuggling glitch ([color=var(--theme-link_a)]CVE-2020-8201[/color]); and a buffer-overflow error ([color=var(--theme-link_a)]CVE-2020-8252[/color]).
Another flaw ([color=var(--theme-link_a)]CVE-2020-25649[/color]) exists in the FasterXML Jackson Databind, used to convert JSON to and from Plain Old Java Object (POJO) using property accessor or using annotations.
The flaw “could provide weaker than expected security, caused by not having entity expansion secured properly,” according to IBM. “A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity.”
IBM Continues Security-Flaw Fix Campaign
IBM previously issued various fixes for vulnerabilities, including [color=var(--theme-link_a)]ones in Spectrum Protect Plus in September[/color]. This is Big Blue’s security tool that’s found under the umbrella of its Spectrum data storage software branding. The flaws could be exploited by remote attackers to execute code on vulnerable systems.
In August, a shared-memory flaw was discovered in [color=var(--theme-link_a)]IBM’s next-gen data-management software[/color] that researchers said could lead to other threats — as demonstrated by a new proof-of-concept exploit for the bug.
And in April, four serious security vulnerabilities in [color=var(--theme-link_a)]the IBM Data Risk Manager[/color] (IDRM) were identified that can lead to unauthenticated remote code execution (RCE) as root in vulnerable versions, according to analysis – and a proof-of-concept exploit is available.[/color]
Source
IBM has patched a critical buffer-overflow error that affects Big Blue’s Integration Designer toolset, which helps enterprises create business processes that integrate ap
The flaw (CVE-2020-27221) has a CVSS base score of 9.8 out of 10, making it critical in severity. It stems from an issue in versions 7 and 8 of Java Runtime Environment (JRE), which is used by IBM Integration Designer toolset.
JRE is a software layer that runs on top of a computer’s operating system (OS), and enables Java to run seamlessly on any system regardless of its OS.
What is a Buffer-Overflow Flaw?
The flaw is a stack-based buffer-overflow error. This is a class of vulnerability where the region of a process’ memory that’s used to store dynamic variables (the heap) can be overwhelmed.
“By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash,” according to IBM’s Monday [color=var(--theme-link_a)]security advisory.
The error exists when the virtual machine (VM) or Java Native Interface converts characters from UTF-8 to platform encoding. Java Native Interface is a programming framework that enables Java code running in a Java VM to call native applications and libraries written in other languages.
IBM didn’t provide further information about what type of privileges an attacker would need, where they would need to send the string or the initial attack vector.
IBM Integration Designer Affected
Specifically, CVE-2020-27221 exists in Eclipse OpenJ9, a high-performance, scalable, Java VM implementation that is fully compliant with JRE.
“Contributed to the Eclipse foundation by IBM, the OpenJ9 JVM underpins the IBM SDK, Java Technology Edition, which is a core component of many IBM Enterprise software products,” [color=var(--theme-link_a)]according to IBM[/color].
IBM Integration Designer versions 8.5.7, 19.0.0.2, 20.0.0.1 and 20.0.0.2, which use JRE versions 7 and 8, are affected. The vulnerability was first reported on Dec. 16 via the [color=var(--theme-link_a)]Eclipse Foundation[/color], which is a global community of Eclipse open source software development members. A fix can be found here for [color=var(--theme-link_a)]each affected version[/color] of IBM Integration Designer.
Another vulnerability (CVE-2020-14782) was fixed, stemming from the JRE implementation in IBM Integration Designer. This “unspecified” vulnerability existed in Java SE and was related to the Libraries component. However, [color=var(--theme-link_a)]according to IBM[/color] it had “no confidentiality impact, low integrity impact and no availability impact.”
IBM Planning Analytics Workspace High-Severity Flaws
IBM also patched a slew of high-severity flaws in its IBM Planning Analytics Workspace; a web-based interface for IBM Planning Analytics that provides an interface to create and analyze content. The flaws exist specifically in Release 61 of the Local v2.0 for Planning Analytics Workspace.
Three vulnerabilities exist in Node.js, an open-source, cross-platform JavaScript runtime environment for developing server-side and networking applications, which is used in IBM Planning Analytics. These flaws include a denial-of-service vulnerability ([color=var(--theme-link_a)]CVE-2020-8251[/color]); an HTTP request-smuggling glitch ([color=var(--theme-link_a)]CVE-2020-8201[/color]); and a buffer-overflow error ([color=var(--theme-link_a)]CVE-2020-8252[/color]).
Another flaw ([color=var(--theme-link_a)]CVE-2020-25649[/color]) exists in the FasterXML Jackson Databind, used to convert JSON to and from Plain Old Java Object (POJO) using property accessor or using annotations.
The flaw “could provide weaker than expected security, caused by not having entity expansion secured properly,” according to IBM. “A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity.”
IBM Continues Security-Flaw Fix Campaign
IBM previously issued various fixes for vulnerabilities, including [color=var(--theme-link_a)]ones in Spectrum Protect Plus in September[/color]. This is Big Blue’s security tool that’s found under the umbrella of its Spectrum data storage software branding. The flaws could be exploited by remote attackers to execute code on vulnerable systems.
In August, a shared-memory flaw was discovered in [color=var(--theme-link_a)]IBM’s next-gen data-management software[/color] that researchers said could lead to other threats — as demonstrated by a new proof-of-concept exploit for the bug.
And in April, four serious security vulnerabilities in [color=var(--theme-link_a)]the IBM Data Risk Manager[/color] (IDRM) were identified that can lead to unauthenticated remote code execution (RCE) as root in vulnerable versions, according to analysis – and a proof-of-concept exploit is available.[/color]
Source