Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5791
Security Bulletin: IBM QRadar Network Packet Capture
includes components with multiple known vulnerabilities.
10 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM QRadar Network Packet Capture Software
Publisher: IBM
Operating System: Linux variants
Resolution: Patch/Upgrade
CVE Names: CVE-2022-40674 CVE-2022-38177 CVE-2022-29154
CVE-2022-2526
Original Bulletin:
https://www.ibm.com/support/pages/node/6838295
Comment: CVSS (Max): 9.8 CVE-2022-40674 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: IBM
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
IBM QRadar Network Packet Capture includes components with multiple known
vulnerabilities.
Document Information
Document number : 6838295
Modified date : 09 November 2022
Product : IBM QRadar Network Packet Capture Software
Software version : 7.4, 7.5
Operating system(s): Linux
Summary
The product includes multiple vulnerable components (e.g., framework libraries)
that may be identified and exploited with automated tools. IBM has addressed
the relevant CVEs.
Vulnerability Details
CVEID: CVE-2022-29154
DESCRIPTION: Rsync could allow a remote attacker to bypass security
restrictions, caused by improper validation of file names. By utilize
man-in-the-middle attack techniques, an attacker could exploit this
vulnerability to write arbitrary files inside the directories of connecting
peers.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
232637 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2022-38177
DESCRIPTION: ISC BIND is vulnerable to a denial of service, caused by a small
memory leak in the DNSSEC verification code for the ECDSA algorithm. By
spoofing the target resolver with responses that have a malformed ECDSA
signature, a remote attacker could exploit this vulnerability to cause named to
crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
236705 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-40674
DESCRIPTION: libexpat could allow a remote attacker to execute arbitrary code
on the system, caused by a use-after-free in the doContent function in
xmlparse.c. An attacker could exploit this vulnerability to execute arbitrary
code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
236116 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2022-2526
DESCRIPTION: systemd could allow a remote attacker to execute arbitrary code on
the system, caused by a use-after-free flaw due to the on_stream_io() function
and dns_stream_complete() function in "resolved-dns-stream.c" not incrementing
the reference counting for the DnsStream object. By sending a specially-crafted
request, an attacker could exploit this vulnerability to execute arbitrary code
or cause a denial of service condition on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
235161 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
+---------------------------------+------------------------------+
|Affected Product(s) |Version(s) |
+---------------------------------+------------------------------+
|IBM QRadar Network Packet Capture|7.4.0 - 7.4.3 Fix Pack 5 |
+---------------------------------+------------------------------+
|IBM QRadar Network Packet Capture|7.5.0 - 7.5.0 Update Package 2|
+---------------------------------+------------------------------+
Remediation/Fixes
IBM encourages customers to update their systems promptly.
+-------------------------+-------+-------------------------------------------+
|Product |Version|Fix |
+-------------------------+-------+-------------------------------------------+
|IBM QRadar Network Packet|7.4. |IBM QRadar Network Packet Capture 7.4.3 Fix|
|Capture | |Pack 6 |
+-------------------------+-------+-------------------------------------------+
|IBM QRadar Network Packet|7.5 |IBM QRadar Network Packet Capture 7.5.0 |
|Capture | |Update Package 3 |
+-------------------------+-------+-------------------------------------------+
Workarounds and Mitigations
None
Change History
04 Nov 2022: Initial Publication
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY2yRRMkNZI30y1K9AQgMAw//YtpdreJo2xZvkQ9v7LAQFD4kHbjsHBvI
NrvfdH7/PBzyAeJqx0Vv9HG2bE7O2EGPFoFbUyYQwZTY24Gmyfgu4GJEbQ0+99ix
2+AqeeNNLUGnENdE3HBQj/o5gcKUjr4oHnnUaGCJ4JHRNcOAxgIrl+WRGETxt+Lt
NyGTY9XSfTQ4Jrl7tR4JCVIkQLu5xWe/KAWfgmH7FdEsbyNGarul/xz6m4TLbn92
8005UkTRl0Pm68X4nGjrzRpemzCrhKkO9HOLaf8y8Vehrlcs50swVirm6ZqcMALN
vpAtlh6Bz9PpPwGmRNxEvr46iDdBtXkcTX4XHe6TDsj1m8s53OiKpKKBJa4Tefgm
Eyp72h2efGniYNOe8s68XYAcULOWLJCSoRMzQHMdwG02MneAL/+oZQQkuPp9ghKA
PPlNWVsg48udfnsej/HW3KJ8iuHEFKrTn789ty8SKHjZ3b7Px5Qgq2dTs9rnSvIg
PagsErlhVayinME597RahaI0CVl736Q/OqYFEcPAy5b0kOXI9bYQBfRx8FNcM6lK
BHDhZPn301tTLxJ9jTmXjooXqQ5WWHE8b/5PYcnRzM3pZGMV6e6HziRJO+celH7H
6FNo1TB2eWx03/yPMpZTz9oiEBycQxK+MUumAbte5Gjx7I/r7jX/qD5wny7JTw+b
HdURNB/cRGw=
=IDTn
-----END PGP SIGNATURE-----