IBM Support

IT46393: IBM SPECTRUM CONTROL SECURITY APAR FOR CVE-2024-21892, CVE-2024-22019, CVE-2024-27983, CVE-2024-27980

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

Direct links to fixes

IBM Spectrum Control 5.4.12 - performance patch
IBM Spectrum Control 5.4.12 - Windows Server
IBM Spectrum Control 5.4.12 - Linux Server
IBM Spectrum Control 5.4.12 - AIX Server
IBM Spectrum Control 5.4.12 - Agents

 

APAR status

  • Closed as program error.

Error description

  • CVEID: CVE-2024-21892
Description: Node.js could allow a remote attacker to gain
elevated privileges on the system, caused by a bug in the
implementation of the exception of CAP_NET_BIND_SERVICE. An
attacker could exploit this vulnerability to inject code that
inherits the process's elevated privileges.

CVEID: CVE-2024-22019
Description: Node.js is vulnerable to a denial of service,
caused by an error when reading unprocessed HTTP request with
unbounded chunk extension. By sending a specially crafted HTTP
request, an attacker could exploit this vulnerability to exhaust
all available resources.

CVEID: CVE-2024-27983
Description: Node.js is vulnerable to a denial of service,
caused by an assertion failure in
node::http2::Http2Session::~Http2Session(). By sending a small
amount of HTTP/2 frames packets with a few HTTP/2 frames inside,
an attacker could exploit this vulnerability to cause the HTTP/2
server to crash.

CVEID: CVE-2024-27980
Description: Node.js could allow a remote attacker to execute
arbitrary commands on the system, caused by the improper
handling of batch files in child_process.spawn /
child_process.spawnSync. By sending a specially crafted command
line argument using args parameter, an attacker could exploit
this vulnerability to inject and execute arbitrary commands on
the system.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:                                              *
* IBM Spectrum Control 5.4.0 - 5.4.11 users                    *
*                                                              *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* SECURITY APAR FOR:                                           *
* CVE-2024-21896, CVE-2024-21892,                              *
* CVE-2024-22019, CVE-2024-27983,                              *
* CVE-2024-27980                                               *
*                                                              *
* See security bulletin for details of the vulnerabilities:    *
* https://www.ibm.com/support/pages/node/7159293               *
*                                                              *
****************************************************************
* RECOMMENDATION:                                              *
* Apply fix maintenance.                                       *
*                                                              *
****************************************************************

    



Problem conclusion



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT46393
    • 

  • Reported component name
    TPC
    • 

  • Reported component ID
    5608TPC00
    • 

  • Reported release
    549
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2024-06-21
    • 

  • Closed date
    2024-07-09
    • 

  • Last modified date
    2024-07-09
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    TPC
    • 

  • Fixed component ID
    5608TPC00
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSWFB4","label":"IBM Spectrum Control Standard Edition"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"549","Line of Business":{"code":"LOB69","label":"Storage TPS"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            03 January 2025
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback