Multiple RCE Critical Vulnerabilities affecting IBM products (CVE-2022-36364, CVE-2020-24616, CVE-2024-39008)

Imechapishwa: Aug 16, 2024 19:00

Advisory No: TZCERT-SA-24-0024

Source: IBM

Software Affected: Apache Calcite Avatica, FasterXML jackson-databind, robinweser fast-loops

Overview

Three plugins in IBM products are vulnerable to critical vulnerabilities. Attackers can exploit the vulnerabilities to execute arbitrary code or cause a denial of service.

Description

Multiple IBM products depending on Apache Calcite Avatica, FasterXML jackson-databind and robinweser fast-loopsare are affected by critical vulnerabilities with CVSS base scores of 9.8 and tracked as CVE-2022-36364, CVE-2020-24616, and CVE-2024-39008 respectively. The vulnerabilities are caused by flaws in the JDBC driver, unsafe deserialization between gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP), and prototype pollution in the function objectMergeDeep respectively. By sending specially crafted input, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service.

Impact

Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected system or cause a denial of service condition

Solution

IBM has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Ripoti Tukio