Critical Vulnerabilities in multiple IBM vulnerabilities (CVE-2020-13936, CVE-2023-36665, CVE-2020-15257)

Advisory No: TZCERT/SA/2024/07/26-2

Date of First Release: 26^th July 2024

Source: IBM

Software Affected:  Apache Velocity, protobuf.js, Containerd

Overview:

Multiple IBM products depending on Apache Velocity, protobuf.js, Containerd are vulnerable to critical vulnerabilities. Attackers can exploit the vulnerabilities to execute arbitrary code on the affected system.

Description:

Multiple IBM products depending on Apache Velocity, protobuf.js, and Containerd and are affected by critical vulnerabilities with CVSS base scores of 9.8 and tracked as CVE-2020-13936, CVE-2023-36665, and CVE-2020-15257 respectively. The vulnerabilities exist due to a sandbox bypass flaw in Apache Velocity, prototype pollution in protobufjs, and improper access control in containerd-shim API in containerd. The attackers can send specially-crafted requests to execute arbitrary code on the vulnerable system.

Impact:

Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected system.

Solution:

IBM has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

1. https://exchange.xforce.ibmcloud.com/vulnerabilities/197993
2. https://exchange.xforce.ibmcloud.com/vulnerabilities/259737
3. https://exchange.xforce.ibmcloud.com/vulnerabilities/192452