Multiple RCE Critical Vulnerabilities affecting IBM products (CVE-2022-36364, CVE-2020-24616, CVE-2024-39008)

Advisory No: TZCERT/SA/2024/08/15-1

Date of First Release: 15^th August 2024

Source: IBM

Software Affected: Apache Calcite Avatica, FasterXML jackson-databind, robinweser fast-loops

Overview:

Three plugins in IBM products are vulnerable to critical vulnerabilities. Attackers can exploit the vulnerabilities to execute arbitrary code or cause a denial of service.

Description:

Multiple IBM products depending on Apache Calcite Avatica, FasterXML jackson-databind and robinweser fast-loopsare are affected by critical vulnerabilities with CVSS base scores of 9.8 and tracked as CVE-2022-36364, CVE-2020-24616, and CVE-2024-39008 respectively. The vulnerabilities are caused by flaws in the JDBC driver, unsafe deserialization between gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP), and prototype pollution in the function objectMergeDeep respectively. By sending specially crafted input, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service.

Impact:

Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected system or cause a denial of service condition

Solution:

IBM has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

1. https://exchange.xforce.ibmcloud.com/vulnerabilities/232360
2. https://exchange.xforce.ibmcloud.com/vulnerabilities/187229
3. https://exchange.xforce.ibmcloud.com/vulnerabilities/297175