Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.4049
Security Bulletin: IBM QRadar SIEM is vulnerable to using
components with know vulnerabilities
1 December 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM QRadar SIEM
Publisher: IBM
Operating System: Linux variants
Impact/Access: Root Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-32399 CVE-2021-29650 CVE-2021-29425
CVE-2021-29154 CVE-2021-28169 CVE-2021-28165
CVE-2021-28163 CVE-2021-22696 CVE-2021-22555
CVE-2021-3715 CVE-2020-27777 CVE-2020-13954
CVE-2020-9492 CVE-2020-7226 CVE-2019-17573
CVE-2019-9924 CVE-2018-18751 CVE-2018-11768
CVE-2018-8029 CVE-2017-15713
Reference: ESB-2021.0166
ESB-2021.0069
ESB-2020.4391
Original Bulletin:
https://www.ibm.com/support/pages/node/6520472
- --------------------------BEGIN INCLUDED TEXT--------------------
IBM QRadar SIEM is vulnerable to using components with know vulnerabilities
Document Information
Document number : 6520472
Modified date : 30 November 2021
Product : IBM QRadar SIEM
Software version : 7.3, 7.4
Operating system(s): Linux
Summary
The product includes vulnerable components (e.g., framework libraries) that may
be identified and exploited with automated tools.
Vulnerability Details
CVEID: CVE-2020-7226
DESCRIPTION: Cryptacular is vulnerable to a denial of service, caused by an
excessive memory allocation during a decode operation in CiphertextHeader.java.
By sending a specially crafted request, a remote attacker could exploit this
vulnerability to cause the application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
175399 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2021-29425
DESCRIPTION: Apache Commons IO could allow a remote attacker to traverse
directories on the system, caused by improper input validation by the
FileNameUtils.normalize method. An attacker could send a specially-crafted URL
request containing "dot dot" sequences (/../) to view arbitrary files on the
system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
199852 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2021-28165
DESCRIPTION: Eclipse Jetty is vulnerable to a denial of service, caused by
improper input valistion. By sending a specially-crafted TLS frame, a remote
attacker could exploit this vulnerability to cause CPU resources to reach to
100% usage.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
199305 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2021-28169
DESCRIPTION: Eclipse Jetty could allow a remote attacker to obtain sensitive
information, caused by a flaw in the ConcatServlet. By sending a
specially-crafted request using a doubly encoded path, an attacker could
exploit this vulnerability to obtain sensitive information from protected
resources within the WEB-INF directory, and use this information to launch
further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
203492 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2021-28163
DESCRIPTION: Eclipse Jetty could allow a remote authenticated attacker to
obtain sensitive information, caused by a flaw when the ${jetty.base} directory
or the ${jetty.base}/webapps directory is a symlink. By sending a
specially-crafted request, an attacker could exploit this vulnerability to
obtain webapp directory contents information, and use this information to
launch further attacks against the affected system.
CVSS Base score: 2.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
199303 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2021-22696
DESCRIPTION: Apache CXF is vulnerable to a denial of service, caused by
improper validation of request_uri parameter by the OAuth 2 authorization
service. By sending a specially-crafted request, a remote attacker could
exploit this vulnerability to cause a denial of service condition on the
authorization server.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
199335 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2020-13954
DESCRIPTION: Apache CXF is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input by the services listing page. A
remote attacker could exploit this vulnerability using the styleSheetPath in a
specially-crafted URL to execute script in a victim's Web browser within the
security context of the hosting Web site, once the URL is clicked. An attacker
could use this vulnerability to steal the victim's cookie-based authentication
credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
191650 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2018-8029
DESCRIPTION: Apache Hadoop could allow a remote authenticated attacker to gain
elevated privileges on the system. An attacker could exploit this vulnerability
to run arbitrary commands as root user.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
161812 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-9492
DESCRIPTION: Apache Hadoop could allow a remote authenticated attacker to gain
elevated privileges on the system, caused by improper validation of SPNEGO
authorization header. By sending a specially-crafted request, an authenticated
attacker could exploit this vulnerability to gain elevated privileges to
trigger services to send server credentials to a webhdfs path for capturing the
service principal.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
195656 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-11768
DESCRIPTION: Apache Hadoop is vulnerable to a denial of service, caused by a
mismatch in the size of the fields used to store user/group information between
memory and disk representation. By sending a specially-crafted request, a
remote attacker could exploit this vulnerability to cause the user/group
information to be corrupted across storing in fsimage and reading back from
fsimage.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
168305 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-15713
DESCRIPTION: Apache Hadoop could allow a remote authenticated attacker to
obtain sensitive information. By using a specially-crafted file, a remote
attacker could exploit this vulnerability to expose private files.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
138064 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-18751
DESCRIPTION: GNU gettext is vulnerable to a denial of service, caused by a
double free flaw in the default_add_message function in read-catalog.c. By
persuading a victim to open a specially-crafted file, a remote attacker could
exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
152105 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-9924
DESCRIPTION: Bash could allow a remote authenticated attacker to execute
arbitrary commands on the system, caused by the failure to prevent the shell
user from modifying BASH_CMDS in the rbash. By modifying BASH_CMDS, an attacker
could exploit this vulnerability to execute arbitrary commands on the system
with the permissions of the shell.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
158906 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2021-3715
DESCRIPTION: Linux Kernel could allow a local authenticated attacker to gain
elevated privileges on the system, caused by a use-after-free in route4_change
() in net/sched/cls_route.c. By sending a specially-crafted request, an
attacker could exploit this vulnerability to escalate privileges.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
208836 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-27777
DESCRIPTION: Linux Kernel for PowerPC could allow a local authenticated
attacker to bypass security restrictions, caused by a flaw with the Run-Time
Abstraction Services (RTAS) interface. By sending a specially-crafted request,
an attacker could exploit this vulnerability to overwrite some parts of memory,
including kernel memory.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
192283 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2021-22555
DESCRIPTION: Linux Kernel could allow a local authenticated attacker to gain
elevated privileges on the system, caused by a heap out-of-bounds write flaw in
net/netfilter/x_tables.c. By sending a specially-crafted request through user
name space, an authenticated attacker could exploit this vulnerability to gain
elevated privileges or cause a denial of service condition.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
204997 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2021-29154
DESCRIPTION: Linux Kernel could allow a could allow a local authenticated
attacker to gain elevated privileges on the system, caused by an issue with
incorrect computation of branch displacements in BPF JIT compiler. By sending a
specially-crafted request, an authenticated attacker could exploit this
vulnerability to gain elevated privileges, and execute arbitrary code in the
Kernel mode.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
199609 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2021-29650
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by the
lack of a full memory barrier upon the assignment of a new table value in the
netfilter subsystem. By sending a specially-crafted request, a local attacker
could exploit this vulnerability to cause the system to crash.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
199201 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2021-32399
DESCRIPTION: Linux Kernel could allow a local authenticated attacker to gain
elevated privileges on the system, caused by a race condition in the BlueTooth
subsystem. By sending a specially-crafted request, an authenticated attacker
could exploit this vulnerability to execute arbitrary code with elevated
privileges.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
201653 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
IBM QRadar SIEM 7.3.0 to 7.3.3 Fix Pack 9
IBM QRadar SIEM 7.4.0 to 7.4.3 Fix Pack 3
Remediation/Fixes
QRadar / QRM / QVM / QRIF / QNI 7.3.3 Fix Pack 10
QRadar / QRM / QVM / QRIF / QNI 7.4.3 Fix Pack 4
Workarounds and Mitigations
None
Change History
26 Nov 2021: Initial Publication
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYab+0uNLKJtyKPYoAQhbShAAnBkrCHPexz/WFblhIy/mGhQ2scIuFjye
9f/GMG8gEbDmmWVcK36GkOnqpVpqEK+hx6z5yNrLOR6+iiSZEHCigK4Jg9RraxOD
ut4vJVBLQOWgqOWBUI346BknyoOwz4nv6lEN0dvx/y1wvx2b1kunLJ6Y7WeAyv47
BjZWxAHhWO2qPXbczsZMp8zQFMcSbMvqJjCAEF1R9r0damXiKzxYTQCcFBh4/z7o
LSUMfpx4ToaUv5e6BdzVAdeZ1NS8Gveurv9HyLVusD1auOAQ0nqgL+RVcszN5Wwy
ZsW2eKJwkGUbhjF+TF+9V11t7c77QiXEslaSEldvxSYgBR98/UZh+2VlITY2rm5l
LWMRNvEBZdcSlMx+tIitV4F+xQps2tyF4RNS0zLTBtNIKYk8acIj0lvE7TUJaTYF
ltJy9zZ1sefdH2WRJsMosoLz+4C1cVpM/dS0Wo+HttyKlIcP6hS7bVBmA3N87J6i
kAo0hr6bsEkgERdiExsMOhoYiam8y1t+0nj9VI9kc0QeHUYEzov0edCIVyg6A7p/
+0L1KyvPMVvCknpAEunew6JMrcnw2l1cEUQmfDP/Oy6geQ4EwKvH9m/6uh3LNLHV
YxhGjTJEIYtUeRFKO+m0KmgTcRUeLieslVXzHrp28vGctVkjdO5YglsUuWAf4NS7
4qQ+HLdqgI8=
=xuzT
-----END PGP SIGNATURE-----