Advisory No: TZCERT/SA/2024/07/26-2
Date of First Release: 26th July 2024
Source: IBM
Software Affected: Apache Velocity, protobuf.js, Containerd
Overview:
Multiple IBM products depending on Apache Velocity, protobuf.js, Containerd are vulnerable to critical vulnerabilities. Attackers can exploit the vulnerabilities to execute arbitrary code on the affected system.
Description:
Multiple IBM products depending on Apache Velocity, protobuf.js, and Containerd and are affected by critical vulnerabilities with CVSS base scores of 9.8 and tracked as CVE-2020-13936, CVE-2023-36665, and CVE-2020-15257 respectively. The vulnerabilities exist due to a sandbox bypass flaw in Apache Velocity, prototype pollution in protobufjs, and improper access control in containerd-shim API in containerd. The attackers can send specially-crafted requests to execute arbitrary code on the vulnerable system.
Impact:
Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected system.
Solution:
IBM has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
References: