Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5188
Multiple vulnerabilities in Spark affecting IBM QRadar User
Behavior Analytics
19 October 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM QRadar SIEM
Publisher: IBM
Operating System: Linux variants
Resolution: Patch/Upgrade
CVE Names: CVE-2022-25647 CVE-2021-34538 CVE-2021-29425
CVE-2021-22569 CVE-2020-13936 CVE-2020-9492
CVE-2020-7656 CVE-2019-10202 CVE-2019-10172
CVE-2019-0205 CVE-2015-9251 CVE-2012-6708
CVE-2012-5783 CVE-2011-4969
Original Bulletin:
https://www.ibm.com/support/pages/node/6830243
Comment: CVSS (Max): 5.5 CVE-2021-22569 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple vulnerabilities in Spark affecting IBM QRadar User Behavior Analytics
Document Information
Document number : 6830243
Modified date : 18 October 2022
Product : IBM QRadar SIEM
Component : User Behavior Analytics
Software version : 4.1.9
Operating system(s): Linux
Summary
Multiple vulnerabilities exist in Spark, which is used by IBM QRadar User
Behavior Analytics (UBA). These vulnerabilities are addressed in UBA by
upgrading to a version of Spark and packages that are associated with Spark
that resolve the vulnerabilities.
Vulnerability Details
CVEID: CVE-2012-5783
DESCRIPTION: Apache Commons HttpClient, as used in Amazon Flexible Payments
Service (FPS) merchant Java SDK and other products, could allow a remote
attacker to conduct spoofing attacks, caused by the failure to verify that the
server hostname matches a domain name in the subject's Common Name (CN) field
of the X.509 certificate. By persuading a victim to visit a Web site containing
a specially-crafted certificate, an attacker could exploit this vulnerability
using man-in-the-middle techniques to spoof an SSL server.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
79984 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2021-22569
DESCRIPTION: Google Protocol Buffer (protobuf-java) is vulnerable to a denial
of service, caused by an issue with allow interleaving of
com.google.protobuf.UnknownFieldSet fields. By persuading a victim to open a
specially-crafted content, a remote attacker could exploit this vulnerability
to cause a timeout in ProtobufFuzzer function, and results in a denial of
service condition.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
216851 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-10202
DESCRIPTION: Red Hat JBoss Enterprise Application Platform (EAP) could allow a
remote attacker to execute arbitrary code on the system, caused by improper
deserialization in Codehaus. By sending a specially-crafted request, an
attacker could exploit this vulnerability to execute arbitrary code on the
system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
168251 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-10172
DESCRIPTION: Jackson-mapper-asl could allow a remote attacker to obtain
sensitive information, caused by an XML external entity (XXE) error when
processing XML data. By sending a specially-crafted XML data, a remote attacker
could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
172436 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2011-4969
DESCRIPTION: jQuery is vulnerable to cross-site scripting, caused by improper
validation of user-supplied input when handling the "location.hash" property. A
remote attacker could exploit this vulnerability to inject malicious script
into a Web page which would be executed in a victim's Web browser within the
security context of the hosting Web site, once the page is viewed. An attacker
could use this vulnerability to steal the victim's cookie-based authentication
credentials.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
82875 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2015-9251
DESCRIPTION: jQuery is vulnerable to cross-site scripting, caused by improper
validation of user-supplied input. A remote attacker could exploit this
vulnerability using a specially-crafted URL to execute script in a victim's Web
browser within the security context of the hosting Web site, once the URL is
clicked. An attacker could use this vulnerability to steal the victim's
cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
138029 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2012-6708
DESCRIPTION: jQuery is vulnerable to cross-site scripting, caused by improper
validation of user-supplied input by the jQuery(strInput) function. A remote
attacker could exploit this vulnerability using the to inject malicious script
into a Web page which would be executed in a victim's Web browser within the
security context of the hosting Web site, once the page is viewed. An attacker
could use this vulnerability to steal the victim's cookie-based authentication
credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
138055 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2020-7656
DESCRIPTION: jQuery is vulnerable to cross-site scripting, caused by improper
validation of user-supplied input by the load method. A remote attacker could
exploit this vulnerability to inject malicious script into a Web page which
would be executed in a victim's Web browser within the security context of the
hosting Web site, once the page is viewed. An attacker could use this
vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
182264 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2021-29425
DESCRIPTION: Apache Commons IO could allow a remote attacker to traverse
directories on the system, caused by improper input validation by the
FileNameUtils.normalize method. An attacker could send a specially-crafted URL
request containing "dot dot" sequences (/../) to view arbitrary files on the
system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
199852 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2020-9492
DESCRIPTION: Apache Hadoop could allow a remote authenticated attacker to gain
elevated privileges on the system, caused by improper validation of SPNEGO
authorization header. By sending a specially-crafted request, an authenticated
attacker could exploit this vulnerability to gain elevated privileges to
trigger services to send server credentials to a webhdfs path for capturing the
service principal.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
195656 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2021-34538
DESCRIPTION: Apache Hive could allow a remote attacker to bypass security
restrictions, caused by improper authorization validation by the CREATE and
DROP function operations. By sending a specially-crafted request, an attacker
could exploit this vulnerability to drop and recreate UDFs and pointing them to
malicious jars.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
231404 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2019-0205
DESCRIPTION: Apache Thrift is vulnerable to a denial of service, caused by an
error when processing untrusted Thrift payload. A remote attacker could exploit
this vulnerability to cause the application to enter into an infinite loop.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-25647
DESCRIPTION: Google Gson is vulnerable to a denial of service, caused by the
deserialization of untrusted data. By using the writeReplace() method, a remote
attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
217225 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H)
CVEID: CVE-2020-13936
DESCRIPTION: Apache Velocity could allow a remote attacker to execute arbitrary
code on the system, caused by a sandbox bypass flaw. By modifying the Velocity
templates, an attacker could exploit this vulnerability to execute arbitrary
code with the same privileges as the account running the Servlet container.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
197993 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
+------------------------------+----------+
|Affected Product(s) |Version(s)|
+------------------------------+----------+
|QRadar User Behavior Analytics|4.1.8 |
+------------------------------+----------+
Remediation/Fixes
IBM encourages customers to update their systems promptly.
Upgrade to version 4.1.9 .
Workarounds and Mitigations
None
Change History
28 Sep 2022: Initial Publication
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY09ykckNZI30y1K9AQgzSxAAuAp4z7RJdpJQ1HL6BhbSFlwsLpc59mIN
s+xWxrBq8vghLL3lNuPMTBHddmuHVj9ZJ5CzDVFUTlbmUG7jy3cLOw204Jx8eM6W
T82dHBWk345wWol8nyXg9X4/ZGQu4Oti2GpHp1l96+K2PskOfzC6BBP/6GUGXOHF
QLEDLXggtQiMwhl9pt5dTlzSunNRy+AXAoHhgvLTEKsT+6VE0r7wAD7af1jRVAr8
QT9PvOkVeAiLwjAJ9IsU5o+Z57RmsOyIZ2kY9Z760nVZh/d2/w/ase3zpPypnhYY
nkHGcR7HFDG0kNzi3c5eW+gEkrOzRmHXOOMe+VDLUMAzkNwjqR0darBoGgDXQjyS
YLFityvmYfLkJJDON/Ik3xKSYXDS1IYTc1d29pUZvaNC88iEKvYV6n2KLo1m+RW/
iiRE/bpTGqI/D0MrGC3CpCT6r3rzNwSpm8SItVHBDdhCQkTXGm6u+i5Yr934wave
PtchqkgAYQ9ZFgG39lK6L9EUHwBOlTqfdluOzZaflS8JKA5YuTwB41boAkPOPnB0
cZD3ftIFpXRLQsxYHl9rCyaq0w4O8ofklWaAmwA2ERopjYS1MkPtlpsfioHvx0oE
+2T4/SRLA2wSKN0BRl0cSeYrPfcaDeGjjbyOiRaGLbgm+eb22GR8aFvS5D5+p9Ua
Xi9qDdRcnZo=
=LxNc
-----END PGP SIGNATURE-----