Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5150
Security Bulletin: QRadar Pulse application add on to IBM QRadar SIEM is
vulnerable to using components with known vulnerabilities
18 October 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM QRadar SIEM
Publisher: IBM
Operating System: Linux variants
Resolution: Patch/Upgrade
CVE Names: CVE-2021-44907 CVE-2021-44906 CVE-2021-37713
CVE-2021-37712 CVE-2021-37701 CVE-2021-33502
CVE-2021-32804 CVE-2021-32803 CVE-2021-23337
CVE-2021-22960 CVE-2021-22959 CVE-2021-3918
CVE-2021-3807 CVE-2021-3765 CVE-2020-28469
CVE-2020-11023 CVE-2020-11022 CVE-2020-8203
CVE-2020-7788 CVE-2020-7598 CVE-2019-1010266
CVE-2019-11358 CVE-2019-10744 CVE-2018-25031
CVE-2018-16487 CVE-2018-3721
Original Bulletin:
https://www.ibm.com/support/pages/node/6830017
Comment: CVSS (Max): 9.8 CVE-2021-3918 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: IBM
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using
components with known vulnerabilities
Document Information
Document number : 6830017
Modified date : 17 October 2022
Product : IBM QRadar SIEM
Software version : 2.2.9
Operating system(s): Linux
Summary
The product includes vulnerable components (e.g., framework libraries) that may
be identified and exploited with automated tools. IBM has released a new
version which addresses these issues.
Vulnerability Details
CVEID: CVE-2019-11358
DESCRIPTION: jQuery, as used in Drupal core, is vulnerable to cross-site
scripting, caused by improper validation of user-supplied input. A remote
authenticated attacker could exploit this vulnerability to execute script in a
victim's Web browser within the security context of the hosting Web site. An
attacker could use this vulnerability to steal the victim's cookie-based
authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
159633 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2020-11022
DESCRIPTION: jQuery is vulnerable to cross-site scripting, caused by improper
validation of user-supplied input by the jQuery.htmlPrefilter method. A remote
attacker could exploit this vulnerability to inject malicious script into a Web
page which would be executed in a victim's Web browser within the security
context of the hosting Web site, once the page is viewed. An attacker could use
this vulnerability to steal the victim's cookie-based authentication
credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
181349 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2020-11023
DESCRIPTION: jQuery is vulnerable to cross-site scripting, caused by improper
validation of user-supplied input by the option elements. A remote attacker
could exploit this vulnerability to inject malicious script into a Web page
which would be executed in a victim's Web browser within the security context
of the hosting Web site, once the page is viewed. An attacker could use this
vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
181350 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2021-44907
DESCRIPTION: Qs is vulnerable to a denial of service, caused by insufficient
sanitization of property in the gs.parse function. By sending a
specially-crafted request, a remote attacker could exploit this vulnerability
to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
222194 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2021-23337
DESCRIPTION: Node.js lodash module could allow a remote authenticated attacker
to execute arbitrary commands on the system, caused by a command injection flaw
in the template. By sending a specially-crafted request, an attacker could
exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
196797 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-16487
DESCRIPTION: Node.js lodash module is vulnerable to a denial of service, caused
by a prototype pollution flaw. By sending a specially-crafted request, a remote
attacker could exploit this vulnerability to inject properties onto
Object.prototype to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
156530 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
CVEID: CVE-2020-8203
DESCRIPTION: Node.js lodash module is vulnerable to a denial of service, caused
by a prototype pollution attack. A remote attacker could exploit this
vulnerability using the merge, mergeWith, and defaultsDeep functions to inject
properties onto Object.prototype to crash the server and possibly execute
arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
183560 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-10744
DESCRIPTION: Node.js lodash module is vulnerable to a denial of service, caused
by a prototype pollution flaw. By sending a specially-crafted request using a
constructor payload, a remote attacker could exploit this vulnerability to
inject properties onto Object.prototype to cause a denial of service condition.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
167415 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)
CVEID: CVE-2019-1010266
DESCRIPTION: Lodash is vulnerable to a denial of service, caused by
uncontrolled resource consumption in Date handler. By sending an overly long
string, a local attacker could exploit this vulnerability to cause the
application to stop responding.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
168402 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-3721
DESCRIPTION: Node.js lodash module could allow a remote attacker to bypass
security restrictions, caused by a flaw in the defaultsDeep, 'merge, and
mergeWith functions. By modifing the prototype of Object, an attacker could
exploit this vulnerability to add or modify existing property that will exist
on all objects.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
144603 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2018-25031
DESCRIPTION: swagger-ui could allow a remote attacker to conduct spoofing
attacks. By persuading a victim to open a specially-crafted URL, an attacker
could exploit this vulnerability to display remote OpenAPI definitions.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
217346 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVEID: CVE-2021-32803
DESCRIPTION: Node.js tar module could allow a local attacker to traverse
directories on the system, caused by insufficient symlink protection. An
attacker could use a specially-crafted tar file containing "dot dot" sequences
(/../) to create or overwrite arbitrary files on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
206717 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)
CVEID: CVE-2021-37713
DESCRIPTION: Node.js tar module could allow a local attacker to execute
arbitrary code on the system, caused by insufficient logic on Windows systems
when extracting tar files that contained a path that was not an absolute path,
but specified a drive letter different from the extraction target. An attacker
could exploit this vulnerability to create or overwrite arbitrary files and
execute arbitrary code on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
208451 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)
CVEID: CVE-2021-32804
DESCRIPTION: Node.js tar module could allow a local attacker to traverse
directories on the system, caused by insufficient absolute path sanitization.
An attacker could use a specially-crafted tar file containing "dot dot"
sequences (/../) to create or overwrite arbitrary files on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
206719 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)
CVEID: CVE-2021-37701
DESCRIPTION: Node.js tar module could allow a local attacker to execute
arbitrary code on the system, caused by an arbitrary file creation/overwrite
vulnerability. By creating a directory, and then replacing that directory with
a symlink, an attacker could use an untrusted tar file to symlink into an
arbitrary location and extract arbitrary files into that location to create or
overwrite arbitrary files and execute arbitrary code on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
208442 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)
CVEID: CVE-2021-37712
DESCRIPTION: Node.js tar module could allow a local attacker to execute
arbitrary code on the system, caused by an arbitrary file creation/overwrite
vulnerability. By creating a directory, and then replacing that directory with
a symlink that had a different apparent name that resolved to the same entry in
the filesystem, an attacker could use an untrusted tar file to symlink into an
arbitrary location and extract arbitrary files into that location to create or
overwrite arbitrary files and execute arbitrary code on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
208450 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)
CVEID: CVE-2021-44906
DESCRIPTION: Node.js Minimist module could allow a remote attacker to execute
arbitrary code on the system, caused by a prototype pollution in setKey()
function in the index.js script. By sending a specially-crafted request, an
attacker could exploit this vulnerability to execute arbitrary code on the
system.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
222195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2020-7598
DESCRIPTION: minimist could provide weaker than expected security, caused by a
prototype pollution flaw. By sending a specially crafted request, a remote
attacker could exploit this vulnerability to add or modify properties of
Object.prototype.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
177780 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2021-3765
DESCRIPTION: validator.js is vulnerable to a denial of service, caused by a
regular expression denial of service (ReDoS) flaw when calling the rtrim
function. By sending a specially-crafted regex input, a remote attacker could
exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
212669 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2020-28469
DESCRIPTION: Node.js glob-parent module is vulnerable to a denial of service.
By sending a specially-crafted request, a remote attacker could exploit this
vulnerability to cause a regular expression denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
196451 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2021-3807
DESCRIPTION: Chalk ansi-regex module for Node.js is vulnerable to a denial of
service, caused by a regular expression denial of service (ReDoS) flaw. By
sending a specially-crafted regex input, a remote attacker could exploit this
vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
209596 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2021-22959
DESCRIPTION: Node.js is vulnerable to HTTP request smuggling, caused by an
error related to a space in headers. A remote attacker could send a
specially-crafted request with a space (SP) right after the header name before
the colon to lead to HTTP Request Smuggling (HRS). An attacker could exploit
this vulnerability to poison the web cache, bypass web application firewall
protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
211168 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2021-22960
DESCRIPTION: Node.js is vulnerable to HTTP request smuggling, caused by an
error when parsing the body of chunked requests. A remote attacker could send a
specially-crafted request to lead to HTTP Request Smuggling (HRS). An attacker
could exploit this vulnerability to poison the web cache, bypass web
application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
211171 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2021-3918
DESCRIPTION: Json-schema could allow a remote attacker to execute arbitrary
code on the system, caused by an improperly controlled modification of object
prototype attributes. By sending a specially crafted request, an attacker could
exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
213750 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2021-33502
DESCRIPTION: Node.js normalize-url module is vulnerable to a denial of service,
caused by a ReDoS (regular expression denial of service) flaw in the data URLs.
By using a specially-crafted regex input, a remote attacker could exploit this
vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
202299 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2020-7788
DESCRIPTION: Node.js ini module could allow a remote attacker to execute
arbitrary code on the system, caused by a prototype pollution flaw. By sending
a specially-crafted request, an attacker could exploit this vulnerability to
execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
192931 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
+--------------------+-------------+
|Affected Product(s) |Version(s) |
+--------------------+-------------+
|IBM QRadar Pulse App|1.0.0 - 2.2.8|
+--------------------+-------------+
Remediation/Fixes
IBM encourages customers to update their systems promptly.
Update to 2.2.9
Workarounds and Mitigations
None
Change History
20 Sep 2022: Initial Publication
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY04E0skNZI30y1K9AQiXQBAAgVNmM+ayl6Aw0djnFg2TUCR69N8Ps8MI
uzdl5d9LJbWTm05oS9QlM5Xgb+eORDGAbXXzxqjost5okT5NlGpjMA5rG2I8YMtQ
i87wH9ujV4vHuxZ4pIhCMhliUiysoPcVrBB1Z13h5i0sX9Sm90AhCBjcahRdvjMk
k837SNOuAL/zRc71PzEsuHL3j1W9NEcC30XloXamHZF1UqEYdETrybcqIyC5VnqZ
h/iWYOcFOu/y6kHj3xHbgKkEFq8RGw+bMH2QVxoqtNy9igI1liWmunJqF/ohR+9g
cRY5C7eglDjOAE2XBpzh1zFgQ73UML7GAw4ff3Gv3eMxGgGdtIWjEtepnWaLsphX
2QPBqelwKhe8l3Swc/7JortkW76yVsPgbURZIM1kCHVi/5MnVIiZ4vle+m6M3Ugv
YvYtIQvi+Or5zFTvJvSrM5u7citb7UcmSEYlKl0A60+/f7j8A5M/kKFYY0Hb/pg7
rp+okNhQSqIwx4QhncK003uh5O5+F5UB006O/iHaDVf9FGs434R8GnIgUkw4IFCI
MYHnPhggvNc6cJQ1DaeU9JywW5nzx2NIp6lhO6GsCMY5NtU7B0eUndTkuOLcNZRO
4rUjfCRIL3mO2MKp2JJpAydlh1UwTpFaD+d7EleRaO3xDKTwyLtiI3uG97ypmPCk
+eyJtct71CQ=
=qrEG
-----END PGP SIGNATURE-----