Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

IBM Patches RCE Vulnerabilities in Data Virtualization Manager, Security SOAR

IBM has released patches for two high-severity remote code execution vulnerabilities in Data Virtualization Manager and Security SOAR.

IBM on Monday announced patches for multiple vulnerabilities across its products, including two high-severity remote code execution (RCE) issues in Data Virtualization Manager and Security SOAR.

Tracked as CVE-2024-52899 (CVSS score of 8.5), the flaw in Data Virtualization Manager for z/OS could allow a remote, authenticated attacker to inject malicious JDBC URL parameters, which could lead to arbitrary code execution on the server.

IBM has released fix packs for Data Virtualization Manager for z/OS versions 1.1 and 1.2, and has included instructions on how to download them in its advisory.

The Security SOAR defect, tracked as CVE-2024-45801 (CVSS score of 7.3), is described as a prototype pollution flaw in depth check, resulting in RCE via the DOMPurify component of the user interface.

“By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial-of-service condition on the system,” IBM explains.

IBM Security SOAR version 51.0.4.0 resolves the vulnerability by removing the vulnerable component from the UI. The tech giant also published upgrade instructions for Security SOAR users.

On Monday, IBM also announced patches for CVE-2024-49353, a high-severity vulnerability in Watson Speech Services Cartridge for Cloud Pak for Data that could lead to a crash, and for CVE-2024-6119, a denial-of-service (DoS) vulnerability in OpenSSL (used in Data Observability by Databand).

Additionally, the tech giant addressed three medium- and low-severity security defects in Engineering Lifecycle Management that could be exploited in cross-site scripting (XSS) attacks, could allow a user to change any dashboard they have access to, or recover the plain text administrative password and username using a network sniffing tool.

Advertisement. Scroll to continue reading.

The IBM Workload Scheduler was also found to store user credentials in plain text, while insufficient session expiration in Watson Query and Db2 Big SQL on Cloud Pak for Data could allow authenticated attackers to access sensitive information.

IBM makes no mention of any of these vulnerabilities being exploited in the wild. Users are advised to update their instances as soon as possible. Additional information can be found on IBM’s security bulletins page.

Related: Researcher Discloses 36 Vulnerabilities Found in IBM Security Verify Access

Related: Hacker Conversations: Stephanie ‘Snow’ Carruthers, Chief People Hacker at IBM X-Force Red

Related: New Rules for US National Security Agencies Balance AI’s Promise With Need to Protect Against Risks

Related: Chipmaker Patch Tuesday: Intel Publishes 44 and AMD Publishes 8 New Advisories

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.