IBM on Monday announced patches for multiple vulnerabilities across its products, including two high-severity remote code execution (RCE) issues in Data Virtualization Manager and Security SOAR.
Tracked as CVE-2024-52899 (CVSS score of 8.5), the flaw in Data Virtualization Manager for z/OS could allow a remote, authenticated attacker to inject malicious JDBC URL parameters, which could lead to arbitrary code execution on the server.
IBM has released fix packs for Data Virtualization Manager for z/OS versions 1.1 and 1.2, and has included instructions on how to download them in its advisory.
The Security SOAR defect, tracked as CVE-2024-45801 (CVSS score of 7.3), is described as a prototype pollution flaw in depth check, resulting in RCE via the DOMPurify component of the user interface.
“By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial-of-service condition on the system,” IBM explains.
IBM Security SOAR version 51.0.4.0 resolves the vulnerability by removing the vulnerable component from the UI. The tech giant also published upgrade instructions for Security SOAR users.
On Monday, IBM also announced patches for CVE-2024-49353, a high-severity vulnerability in Watson Speech Services Cartridge for Cloud Pak for Data that could lead to a crash, and for CVE-2024-6119, a denial-of-service (DoS) vulnerability in OpenSSL (used in Data Observability by Databand).
Additionally, the tech giant addressed three medium- and low-severity security defects in Engineering Lifecycle Management that could be exploited in cross-site scripting (XSS) attacks, could allow a user to change any dashboard they have access to, or recover the plain text administrative password and username using a network sniffing tool.
The IBM Workload Scheduler was also found to store user credentials in plain text, while insufficient session expiration in Watson Query and Db2 Big SQL on Cloud Pak for Data could allow authenticated attackers to access sensitive information.
IBM makes no mention of any of these vulnerabilities being exploited in the wild. Users are advised to update their instances as soon as possible. Additional information can be found on IBM’s security bulletins page.
Related: Researcher Discloses 36 Vulnerabilities Found in IBM Security Verify Access
Related: Hacker Conversations: Stephanie ‘Snow’ Carruthers, Chief People Hacker at IBM X-Force Red
Related: New Rules for US National Security Agencies Balance AI’s Promise With Need to Protect Against Risks
Related: Chipmaker Patch Tuesday: Intel Publishes 44 and AMD Publishes 8 New Advisories