Critical Vulnerabilities in multiple IBM vulnerabilities (CVE-2020-13936, CVE-2023-36665, CVE-2020-15257)

Imechapishwa: Aug 16, 2024 18:36

Advisory No: TZCERT-SA-24-0009

Source: Apache Velocity, protobuf.js, Containerd

Software Affected: Apache Velocity, protobuf.js, Containerd

Overview

Multiple IBM products depending on Apache Velocity, protobuf.js, Containerd are vulnerable to critical vulnerabilities. Attackers can exploit the vulnerabilities to execute arbitrary code on the affected system.

Description

Multiple IBM products depending on Apache Velocity, protobuf.js, and Containerd and are affected by critical vulnerabilities with CVSS base scores of 9.8 and tracked as CVE-2020-13936, CVE-2023-36665, and CVE-2020-15257 respectively. The vulnerabilities exist due to a sandbox bypass flaw in Apache Velocity, prototype pollution in protobufjs, and improper access control in containerd-shim API in containerd. The attackers can send specially-crafted requests to execute arbitrary code on the vulnerable system.

Impact

Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected system.

Solution

IBM has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Ripoti Tukio