Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5791 Security Bulletin: IBM QRadar Network Packet Capture includes components with multiple known vulnerabilities. 10 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM QRadar Network Packet Capture Software Publisher: IBM Operating System: Linux variants Resolution: Patch/Upgrade CVE Names: CVE-2022-40674 CVE-2022-38177 CVE-2022-29154 CVE-2022-2526 Original Bulletin: https://www.ibm.com/support/pages/node/6838295 Comment: CVSS (Max): 9.8 CVE-2022-40674 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: IBM Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- IBM QRadar Network Packet Capture includes components with multiple known vulnerabilities. Document Information Document number : 6838295 Modified date : 09 November 2022 Product : IBM QRadar Network Packet Capture Software Software version : 7.4, 7.5 Operating system(s): Linux Summary The product includes multiple vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. IBM has addressed the relevant CVEs. Vulnerability Details CVEID: CVE-2022-29154 DESCRIPTION: Rsync could allow a remote attacker to bypass security restrictions, caused by improper validation of file names. By utilize man-in-the-middle attack techniques, an attacker could exploit this vulnerability to write arbitrary files inside the directories of connecting peers. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 232637 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) CVEID: CVE-2022-38177 DESCRIPTION: ISC BIND is vulnerable to a denial of service, caused by a small memory leak in the DNSSEC verification code for the ECDSA algorithm. By spoofing the target resolver with responses that have a malformed ECDSA signature, a remote attacker could exploit this vulnerability to cause named to crash. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 236705 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2022-40674 DESCRIPTION: libexpat could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in the doContent function in xmlparse.c. An attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 236116 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2022-2526 DESCRIPTION: systemd could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free flaw due to the on_stream_io() function and dns_stream_complete() function in "resolved-dns-stream.c" not incrementing the reference counting for the DnsStream object. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. CVSS Base score: 8.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 235161 for the current score. CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions +---------------------------------+------------------------------+ |Affected Product(s) |Version(s) | +---------------------------------+------------------------------+ |IBM QRadar Network Packet Capture|7.4.0 - 7.4.3 Fix Pack 5 | +---------------------------------+------------------------------+ |IBM QRadar Network Packet Capture|7.5.0 - 7.5.0 Update Package 2| +---------------------------------+------------------------------+ Remediation/Fixes IBM encourages customers to update their systems promptly. +-------------------------+-------+-------------------------------------------+ |Product |Version|Fix | +-------------------------+-------+-------------------------------------------+ |IBM QRadar Network Packet|7.4. |IBM QRadar Network Packet Capture 7.4.3 Fix| |Capture | |Pack 6 | +-------------------------+-------+-------------------------------------------+ |IBM QRadar Network Packet|7.5 |IBM QRadar Network Packet Capture 7.5.0 | |Capture | |Update Package 3 | +-------------------------+-------+-------------------------------------------+ Workarounds and Mitigations None Change History 04 Nov 2022: Initial Publication - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY2yRRMkNZI30y1K9AQgMAw//YtpdreJo2xZvkQ9v7LAQFD4kHbjsHBvI NrvfdH7/PBzyAeJqx0Vv9HG2bE7O2EGPFoFbUyYQwZTY24Gmyfgu4GJEbQ0+99ix 2+AqeeNNLUGnENdE3HBQj/o5gcKUjr4oHnnUaGCJ4JHRNcOAxgIrl+WRGETxt+Lt NyGTY9XSfTQ4Jrl7tR4JCVIkQLu5xWe/KAWfgmH7FdEsbyNGarul/xz6m4TLbn92 8005UkTRl0Pm68X4nGjrzRpemzCrhKkO9HOLaf8y8Vehrlcs50swVirm6ZqcMALN vpAtlh6Bz9PpPwGmRNxEvr46iDdBtXkcTX4XHe6TDsj1m8s53OiKpKKBJa4Tefgm Eyp72h2efGniYNOe8s68XYAcULOWLJCSoRMzQHMdwG02MneAL/+oZQQkuPp9ghKA PPlNWVsg48udfnsej/HW3KJ8iuHEFKrTn789ty8SKHjZ3b7Px5Qgq2dTs9rnSvIg PagsErlhVayinME597RahaI0CVl736Q/OqYFEcPAy5b0kOXI9bYQBfRx8FNcM6lK BHDhZPn301tTLxJ9jTmXjooXqQ5WWHE8b/5PYcnRzM3pZGMV6e6HziRJO+celH7H 6FNo1TB2eWx03/yPMpZTz9oiEBycQxK+MUumAbte5Gjx7I/r7jX/qD5wny7JTw+b HdURNB/cRGw= =IDTn -----END PGP SIGNATURE-----