Critical Vulnerabilities in multiple IBM vulnerabilities (CVE-2024-1597, CVE-2022-46337)

Published On: Jul 11, 2024 05:24

Advisory No: TZCERT/SA/2024/07/10-1

Source: IBM

Software Affected: PostgreSQL JDBC Driver, Apache Derby

Overview

Multiple IBM products depending on  PostgreSQL JDBC Driver, and Apache Derby are vulnerable to critical vulnerabilities. Attackers can exploit the vulnerabilities to dump critical data or execute arbitrary code.

Description

Multiple IBM products running on PostgreSQL JDBC Driver, and are affected by critical vulnerabilities with CVSS base scores of 10 and 9.1 and tracked as CVE-2024-1597, and CVE-2022-46337 respectively. The vulnerabilities exist in PostgreSQL JDBC Driver that uses the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value, and in Apache Derby plugin caused by a LDAP injection vulnerability in authenticator. The attackers can send specially crafted request to execute arbitrary code on the vulnerable system.

Impact

Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected system.

Solution

IBM has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Report Incident