Security bulletins and fixes

Stay informed about known security vulnerabilities and fixes for IBM Cloud Pak® for AIOps by subscribing to the security bulletins and by reviewing the list of fixed security-related vulnerabilities.

Security bulletins

Subscribe to IBM Cloud Pak for AIOps notifications by following these steps:

  1. Go to the IBM Support site Opens in a new tab.

  2. Scroll to the Support basics section. Then, click the Notification settings card.

  3. Log in to IBM with your IBM ID and password to continue.

  4. Enter IBM Cloud Pak for AIOps in the Product lookup field. Click Subscribe.

  5. In the Select document types page, select Security bulletin and Fixes > Security Vulnerability (Sec/Int). You can also select any other document types that you need to keep informed about.

  6. Click Submit.

  7. To configure how you receive notifications, click Delivery preferences in the banner at the beginning of the page. Edit your settings as needed.

Fixed security-related vulnerabilities in version 4.8.0

Review the following tables, which lists the fixed reported security-related vulnerabilities with IBM Cloud Pak for AIOps, and any included IBM or third-party software.

Table. Fixed Common Vulnerabilities and Exposures in Version 4.8.0
CVE-ID Issue Description
CVE-2022-21221 Opens in a new tab Go fasthttp package directory traversal Go fasthttp package could allow a remote attacker to traverse directories on the system, caused by improper validation of user requests. by the ServeFile function. An attacker could send a specially-crafted URL request containing the backslash (%5c) character to read or write arbitrary files on the system.
CVE-2022-48773 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by pointer derefs in Error Cases Of Rpcrdma_ep_create. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2023-38709 Opens in a new tab Apache HTTP Server response splitting Apache HTTP Server is vulnerable to HTTP response splitting attacks, caused by improper input validation in the core. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
CVE-2023-49290 Opens in a new tab JWx denial of service JWx is vulnerable to a denial of service, caused by a flaw when p2c parameter in JWE's alg PBES2-* is set too high. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2023-52492 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in the channel unregistration function. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-0874 Opens in a new tab CoreDNS security bypass CoreDNS could allow a remote attacker to bypass security restrictions, caused by a flaw when CD bit is set in query. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow CD queries to pass.
CVE-2024-3817 Opens in a new tab HashiCorp go-getter code execution HashiCorp go-getter could allow a remote attacker to execute arbitrary code on the system, caused by an argument injection flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-6257 Opens in a new tab HashiCorp go-getter code execution HashiCorp go-getter could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper input validation.. By using a specially crafted Git Configuration, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-9143 Opens in a new tab OpenSSL code execution OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds memory read or write flaw due to the use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause the application to crash.
CVE-2024-21208 Opens in a new tab Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
CVE-2024-21210 Opens in a new tab Vulnerability in Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE.
CVE-2024-21217 Opens in a new tab Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
CVE-2024-21235 Opens in a new tab Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
CVE-2024-21534 Opens in a new tab jsonpath-plus code execution Jsonpath-plus could allow a remote attacker to execute arbitrary code on the system, caused by improper input sanitization and unsafe default usage of the vm module in Node.js. By exploiting the unsafe default usage of the vm module in Node.js, an attacker could exploit this vulnerability to inject and execute arbitrary code on the system.
CVE-2024-21664 Opens in a new tab jwx denial of service jwx is vulnerable to a denial of service, caused by a NULL pointer dereference flaw when parsing JSON serialized payload without protected field. By sending a specially crafted payload, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-24814 Opens in a new tab OpenIDC mod_auth_openidc denial of service OpenIDC mod_auth_openidc is vulnerable to a denial of service, caused by missing input validation on mod_auth_openidc_session_chunks cookie value. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-24857 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a race condition in the conn_info_{min,max}_age_set() function in net/bluetooth. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to cause bluetooth connection abnormality or a denial of service condition.
CVE-2024-26851 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a bmp length out of range flaw in nf_conntrack_h323. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-26924 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw with the _remove function when more than one element that share the same key. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-26976 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw with when a vCPU is clearing its completion queue. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-27017 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by an error in netfilter: nft_set_pipapo. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-27062 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a race condition in the nouveau module. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-28122 Opens in a new tab JWx denial of service JWx is vulnerable to a denial of service, caused by a flaw when using a compressed JWE message. By crafting a specially crafted JSON Web Encryption (JWE) token with an exceptionally high compression ratio, a remote attacker with a trusted public key could exploit this vulnerability to cause a denial of service.
CVE-2024-29025 Opens in a new tab Netty denial of service Netty is vulnerable to a denial of service, caused by a flaw when using the HttpPostRequestDecoder to decode a form. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-29857 Opens in a new tab The Bouncy Castle Crypto Package For Java denial of service The Bouncy Castle Crypto Package For Java is vulnerable to a denial of service, caused by improper input validation. By importing an EC certificate with crafted F2m parameters, a remote attacker could exploit this vulnerability to cause excessive CPU consumption.
CVE-2024-30171 Opens in a new tab The Bouncy Castle Crypto Package For Java information disclosure The Bouncy Castle Crypto Package For Java could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the RSA decryption (both PKCS#1v1.5 and OAEP) feature. By utilize timing side-channel attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2024-30172 Opens in a new tab The Bouncy Castle Crypto Package For Java denial of service The Bouncy Castle Crypto Package For Java is vulnerable to a denial of service, caused by an infinite loop in the Ed25519 verification code. By persuading a victim to use a specially crafted signature and public key, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-35839 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by an error related to netfilter: bridge: replace physindev with physinif in nf_bridge_info. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-35898 Opens in a new tab netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() nft_unregister_flowtable_type() within nf_flow_inet_module_exit() can concurrent with __nft_flowtable_type_get() within nf_tables_newflowtable(). And thhere is not any protection when iterate over nf_tables_flowtables list in __nft_flowtable_type_get().
CVE-2024-35939 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by the leaking of pages on dma_set_decrypted() failure. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-37298 Opens in a new tab Gorilla web toolkit schema denial of service Gorilla web toolkit schema is vulnerable to a denial of service, caused by a memory exhaustion flaw due to sparse slice deserialization. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-37370 Opens in a new tab MIT Kerberos 5 (aka krb5) security bypass MIT Kerberos 5 (aka krb5) could allow a remote attacker to bypass security restrictions, caused by improper access control. By sending a specially crafted request to modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, an attacker could exploit this vulnerability to cause the unwrapped token to appear truncated to the application.
CVE-2024-37371 Opens in a new tab MIT Kerberos 5 (aka krb5) denial of service MIT Kerberos 5 (aka krb5) is vulnerable to a denial of service, caused by an invalid memory reads during GSS message token handling. By sending specially crafted message tokens, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-38540 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds flaw when bnxt_qplib_alloc_init_hwq is called with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-38541 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a stack-based buffer overflow in of_modalias(). By sending an overly long argument, a local authenticated attacker could exploit this vulnerability to overflow a buffer and cause a denial of service.
CVE-2024-38586 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a ring buffer corruption on fragmented Tx packets in r8169. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-38608 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in netif state handling in net/mlx5e. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-39503 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a race condition between namespace cleanup in ipset and the garbage collection of the list:set type. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-39689 Opens in a new tab Certifi python-certifi weak security Certifi python-certifi could provide weaker than expected security, caused by the use of GLOBALTRUST root certificate. An attacker could exploit this vulnerability to launch further attacks on the system.
CVE-2024-39908 Opens in a new tab Ruby REXML denial of service Ruby REXML is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40924 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by an error related to making DPT object unshrinkable. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40961 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in fib6_nh_init(). By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40983 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a dst refcount before doing decryption. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-40984 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference error. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-41009 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a stack-based buffer overflow in ringbuf. By sending an overly long argument, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-41042 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by stack-based buffer overflow inf_tables_api.c. A local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-41066 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by an skb leak. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-41092 Opens in a new tab Linux Kernel code execution Linux Kernel could allow a local authenticated attacker to execute arbitrary code on the system, caused by a use-after-free error. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-41093 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by the use of null object of framebuffer. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-41123 Opens in a new tab Ruby REXML denial of service Ruby REXML is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted XML content contains many specific characters, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-41946 Opens in a new tab Ruby REXML denial of service Ruby REXML is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted XML content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-42070 Opens in a new tab Linux Kernel information disclosure Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in Netfilter: Nf_tables. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information.
CVE-2024-42079 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in gfs2_log_flush. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-42244 Opens in a new tab In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 ("USB: serial: use generic method if no alternative is provided in usb serial layer"), USB serial core calls the generic resume implementation when the driver has not provided one. This can trigger a crash on resume with mos7840 since support for multiple read URBs was added back in 2011. Specifically, both port read URBs are now submitted on resume for open ports, but the context pointer of the second URB is left set to the core rather than mos7840 port structure.
CVE-2024-42284 Opens in a new tab Linux Kernel buffer overflow Linux Kernel is vulnerable to a buffer overflow, caused by improper bounds checking by the tipc_udp_addr2str() function. By sending a specially crafted request, a local attacker could overflow a buffer and execute arbitrary code on the system.
CVE-2024-42292 Opens in a new tab Linux Kernel information disclosure Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by an out-of-bounds read flaw in the zap_modalias_env() function. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
CVE-2024-42301 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by array out-of-bounds issues in sprintf. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-43398 Opens in a new tab Ruby REXML denial of service Ruby REXML is vulnerable to a denial of service, caused by improper input validation. By using a specially crafted XML content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-43854 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a flaw with metadata added by bio_integrity_prep is using plain kmalloc. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-43880 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a object nesting flaw. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-43889 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a divide-by-zero panic in padata_mt_helper(). By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-43892 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a race condition between multiple idr_remove() calls or between idr_alloc()/idr_replace() and idr_remove() functions. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-44935 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference flaw in the reuseport_add_sock() function. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-44989 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereferences in xfrm real_dev. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-44990 Opens in a new tab bonding: fix null pointer deref in bond_ipsec_offload_ok In the Linux kernel, the following vulnerability has been resolved: bonding: fix null pointer deref in bond_ipsec_offload_ok We must check if there is an active slave before dereferencing the pointer.
CVE-2024-45018 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by missing initialization of extack in flow offload. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-45321 Opens in a new tab cpanminus code execution cpanminus could allow a remote attacker to execute arbitrary code on the system, caused by downloading code via insecure HTTP. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-46826 Opens in a new tab ELF: fix kernel.randomize_va_space double read In the Linux kernel, the following vulnerability has been resolved: ELF: fix kernel.randomize_va_space double read ELF loader uses "randomize_va_space" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec.
CVE-2024-47178 Opens in a new tab basic-auth-connect's callback uses time unsafe string comparison basic-auth-connect is Connect's Basic Auth middleware in its own module. basic-auth-connect < 1.1.0 uses a timing-unsafe equality comparison that can leak timing information. This issue has been fixed in basic-auth-connect 1.1.0.
CVE-2024-47668 Opens in a new tab Linux Kernel denial of service Linux Kernel is vulnerable to a denial of service, caused by a rare race in __genradix_ptr_alloc(). By sending a specially crafted request, a local attacker could exploit this vulnerability to cause a denial of service.
CVE-2024-49761 Opens in a new tab Ruby REXML denial of service Ruby REXML is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By sending a specially crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-49766 Opens in a new tab Werkzeug safe_join not safe on Windows Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.
CVE-2024-49767 Opens in a new tab Werkzeug possible resource exhaustion when parsing file data in forms Werkzeug is a Web Server Gateway Interface web application library. Applications using werkzeug.formparser.MultiPartParser corresponding to a version of Werkzeug prior to 3.0.6 to parse multipart/form-data requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.
CVE-2024-49768 Opens in a new tab Waitress has request processing race condition in HTTP pipelining with invalid first request Waitress is a Web Server Gateway Interface server for Python 2 and 3. A remote client may send a request that is exactly recv_bytes (defaults to 8192) long, followed by a secondary request using HTTP pipelining. When request lookahead is disabled (default) we won't read any more requests, and when the first request fails due to a parsing error, we simply close the connection. However when request lookahead is enabled, it is possible to process and receive the first request, start sending the error message back to the client while we read the next request and queue it. This will allow the secondary request to be serviced by the worker thread while the connection should be closed. Waitress 3.0.1 fixes the race condition. As a workaround, disable channel_request_lookahead, this is set to 0 by default disabling this feature.
CVE-2024-49769 Opens in a new tab Pylons Project Waitress denial of service Pylons Project Waitress is vulnerable to a denial of service, caused by improper error handling when a socket that no longer exists. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a high CPU usage, and results in a denial of service condition.
CVE-2024-52303 Opens in a new tab aio-libs aiohttp denial of service aio-libs aiohttp is vulnerable to a denial of service, caused by a memory leak when middlewares are used. By sending a specially crafted request, a remote attacker could exploit this vulnerability to exhaust available memory resources on the server, and results in a denial of service condition.

Fixed security-related vulnerabilities in previous versions

Review the following documentation, which includes the list of fixed reported security-related vulnerabilities in previous versions of IBM Cloud Pak for AIOps: