Operating System:

[LINUX]

Published:

27 October 2022

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2022.5409 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.5409
  Security Bulletin: IBM QRadar SIEM Application Framework Base Image is
         vulnerable to using components with Known Vulnerabilities
                              27 October 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM QRadar SIEM
Publisher:         IBM
Operating System:  Linux variants
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-1154 CVE-2021-38185 CVE-2021-3634

Original Bulletin: 
   https://www.ibm.com/support/pages/node/6831853

Comment: CVSS (Max):  7.8 CVE-2022-1154 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
         CVSS Source: IBM
         Calculator:  https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM QRadar SIEM Application Framework Base Image is vulnerable to using
components with Known Vulnerabilities

Document Information

Document number    : 6831853
Modified date      : 25 October 2022
Product            : IBM QRadar SIEM
Software version   : 7.4, 7.5
Operating system(s): Linux

Summary

The product includes vulnerable components (e.g., framework libraries) that may
be identified and exploited with automated tools.

Vulnerability Details

CVEID: CVE-2021-38185
DESCRIPTION: GNU cpio could allow a remote attacker to execute arbitrary code
on the system, caused by an integer overflow that triggers an out-of-bounds
heap write in the ds_fgetstr function in dstring.c. By persuading a victim to
open a specially-crafted crafted pattern file, an attacker could exploit this
vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
207047 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID: CVE-2022-1154
DESCRIPTION: Vim is vulnerable to a heap-based buffer overflow, caused by a
use-after-free in mbyte.c in utf_ptr2char. By sending a specially-crafted
request, a local authenticated attacker could overflow a buffer and execute
arbitrary code on the system or cause a denial of service.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
223115 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2021-3634
DESCRIPTION: libssh is vulnerable to a heap-based buffer overflow, caused by
improper bounds checking. By sending a specially-crafted request, a remote
authenticated attacker could overflow a buffer and execute arbitrary code on
the system or cause the application to crash.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
208281 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L)

Affected Products and Versions

+-------------------+---------------------------+
|Affected Product(s)|Version(s)                 |
+-------------------+---------------------------+
|IBM QRadar SIEM    |7.4.0 - 7.4.3 Fix Pack 6   |
+-------------------+---------------------------+
|IBM QRadar SIEM    |7.5.0 - 7.5.0 Update Pack 2|
+-------------------+---------------------------+

Remediation/Fixes

IBM encourages customers to update their systems promptly.
+-----------------+--------+-----------------+
|Affected Product |Versions|Fix              |
|(s)              |        |                 |
+-----------------+--------+-----------------+
|IBM QRadar SIEM  |7.4     |7.4.3 Fix Pack 7 |
+-----------------+--------+-----------------+
|IBM QRadar SIEM  |7.5     |7.5.0 Update Pack|
|                 |        |3                |
+-----------------+--------+-----------------+

Workarounds and Mitigations

None

Change History

31 Aug 2022: Initial Publication

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY1oDdMkNZI30y1K9AQhQeg/+J2NJvRuUGvTeEjMYPe8hDx+uKgCQY2X2
8x5O4fgWjBlrZ2s8ZbmicptFL7t3bu0LSlD8dgYqqr7v9n1VC382zBdDsJgwI3l6
sYbZMulBsBQcMO8o8pfd+4kkcPOtJu9c4vtxVGOlAePL+jgwPEHRX3b0GjAZ5hOa
AkpY7NG0dTJjiiN2jwYp7BVvmVbJWxv+IHfKcDtWQFjo5xdY4ZGos5vrocwgkZZo
28Bq5b7NjPiBirC9DsXBdbcSGXN8/f7g3xpF7gNxT6FNHX6wM0YJChK3L6LXjq8+
4zDF0grtCtgOynDNWtCyAP08lhfwmAvRKfQcZQbDwsA/GziBCVlE6Wnz+QnWdO1T
fGOA4AtbsNBSZRQmjwWAEwe+VvQl8Kh4D4G+/yPv+i7wasE3oukAwjo7GtZsZHIH
DhQed13cxsTemUHb6+hQJFv3ZjQws0HuR3zVKswH/LAdKqFctEkT2gHSKmj3k5ym
NkK35UkliyO0suHxbc6hIxtm5FufdXOZIlmQWQbsMrHVcyoufBd3qDDWBSRiPmRe
qvHSleWlOnwYoC+4u+mK0XjVuRxLN06aah4fhONSXUp5LU8cHc0cGNuU/UqWo/OB
HLpyOnjFX8alHd7+dNGceBduBa9YxwfCazjTNzDA0iApAaNUZVwFQe/T341rc6Mm
Sx8kj9cieU4=
=4w6y
-----END PGP SIGNATURE-----