IBM Fixes Critical Vulnerabilities in Voice, Security, and Cloud Services
Three vulnerabilities, all of which affect the Golang packages the platform utilizes, were fixed in IBM Netezza for Cloud Pak for Data. With a CVSS score of 7.5, two of these issues are classified as having “high severity.”
Each of the three issues is classified as a denial-of-service (DoS) vulnerability in Golang that might be remotely exploited by employing specially designed material or requests.
The problems have been fixed in platform version 220.127.116.11, which affects Netezza for Cloud Pak for Data versions 18.104.22.168 through 22.214.171.124.
Additionally, IBM released updates for five Node.js issues that affect Voice Gateway, including two that are classified as “high severity” and may allow arbitrary code execution or privilege escalation.
A DLL search order hijacking in providers.dll is the first of the issues, and it might be used by an attacker to get administrative rights to the system by using a purpose-built file.
The second problem occurs when Node.js improperly determines if an IP address is incorrect. An attacker who had access to the victim’s DNS server or who could spoof its replies might take advantage of the vulnerability to run arbitrary code.
The three remaining issues are classified as “medium severity” and include defects in HTTP request trafficking that could result in cross-site scripting (XSS) attacks, web cache poisoning, or firewall protection bypass.
Voice Gateway 1.0.7, 126.96.36.199, and 1.0.8 are all affected by the bugs. All five issues have been fixed in the latest Voice Gateway 1.0.8.x images that IBM released.
Additionally, IBM addressed six SiteProtector vulnerabilities that all affect the Apache HTTP Server. A bug that allows for high-severity request smuggling is the worst of them.
The problems affect the IBM Security SiteProtector system version 3.1.1 and have been fixed in the appliance’s latest release, 188.8.131.52.
A medium-severity identification spoofing vulnerability in Liberty for Java for IBM Cloud was also addressed by IBM this week. The business also made updates to several previously released warnings, including one from May that described how the Spring4Shell issue affected the IBM Cloud Pak System.