Critical Vulnerabilities in multiple IBM vulnerabilities (CVE-2024-1597, CVE-2022-46337)

Advisory No: TZCERT/SA/2024/07/10-1

Date of First Release: 10^th July 2024

Source: IBM

Software Affected:  PostgreSQL JDBC Driver, Apache Derby

Overview:

Multiple IBM products depending on  PostgreSQL JDBC Driver, and Apache Derby are vulnerable to critical vulnerabilities. Attackers can exploit the vulnerabilities to dump critical data or execute arbitrary code.

Description:

Multiple IBM products running on  PostgreSQL JDBC Driver, and are affected by critical vulnerabilities with CVSS base scores of 10 and 9.1 and tracked as CVE-2024-1597, and CVE-2022-46337 respectively. The vulnerabilities exist in PostgreSQL JDBC Driver that uses the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value, and in Apache Derby plugin caused by a LDAP injection vulnerability in authenticator. The attackers can send specially crafted request to execute arbitrary code on the vulnerable system.

Impact:

Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected system.

Solution:

IBM has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

1. https://exchange.xforce.ibmcloud.com/vulnerabilities/283693
2. https://exchange.xforce.ibmcloud.com/vulnerabilities/271915