Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

IBM database updates address critical vulnerabilities in third-party XML parser

IBM has updated data management platform Db2 in order to protect users from a pair of critical vulnerabilities in older versions of Expat, a third-party library.

Both flaws notched a CVSS score of 9.8 and each potentially allowed attackers to execute arbitrary code on vulnerable systems because of integer overflow issues.

The integer overflows are located in Expat’s XML_GetBuffer (CVE-2022-23852) and doProlog functions (CVE-2022-23990).

If exploited, the bugs “could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS)”, according to related advisories from NetApp, which is working on fixes for several of its own vulnerable products.

IBM Db2 is only one of many enterprise products that bundle Expat (aka libexpat), a C library for parsing XML that dates back to 1997 and “excels with files too large to fit RAM, and where performance and flexibility are crucial”, according to its maintainers.

Downstream patches

The maintainers of Expat patched the flaws in version 2.4.4, which dropped on January 30, 2022.

The bugs affect Db2 versions 9.7.x, 10.1.x, 10.5.x, and 11.1.x.

IBM has advised customers running vulnerable fixpack levels to download a corresponding special build containing an interim fix. “These special builds are available based on the most recent fixpack level for each impacted release: V9.7 FP11, V10.1 FP6, V10.5 FP11, and V11.1.4 FP6,” reads an IBM security bulletin issued on April 20.

The Expat flaws have also prompted updates to the Oracle Communications MetaSolv Solution and Red Hat Enterprise Linux.

Pulse Secure has scheduled releases addressing the issues for a number of products, including Pulse Desktop Client, Pulse Connect Secure, and Ivanti Connect Secure, and is still investigating whether certain other products are vulnerable too.

There have been other related advisories from Linux distribution Ubuntu, Cisco in relation to its 8000 Series of video surveillance cameras, and Dell EMC regarding its VxRail hyper-converged infrastructure (storage) appliances.

Source: https://portswigger.net/daily-swig/ibm-database-updates-address-critical-vulnerabilities-in-third-party-xml-parser

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO