Security Bulletin
Summary
There are multiple vulnerabilities impacting IBM Watson Studio in Cloud Pak for Data. This bulletin identifies the steps to take to address the vulnerabilities.
Vulnerability Details
CVEID: CVE-2019-9169
DESCRIPTION: GNU glibc is vulnerable to a heap-based buffer overflow, caused by a buffer over-read flaw in the proceed_next_node function in posix/regexec.c. By sending a specially-crafted argument using a case-insensitive regular-expression match, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CWE: CWE-125: Out-of-bounds Read
CVSS Source: IBM X-Force
CVSS Base score: 7.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2022-23219
DESCRIPTION: GNU C Library (aka glibc) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the clnt_create function in the sunrpc module. By sending a specially-crafted hostname argument, a local attacker could overflow a buffer and execute arbitrary code or cause a denial of service on the system.
CWE: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVSS Source: IBM X-Force
CVSS Base score: 8.4
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2022-23218
DESCRIPTION: GNU C Library (aka glibc) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the svcunix_create function in the sunrpc module. By sending a specially-crafted path argument, a local attacker could overflow a buffer and execute arbitrary code or cause a denial of service on the system.
CWE: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVSS Source: IBM X-Force
CVSS Base score: 8.4
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2021-35942
DESCRIPTION: GNU C Library (aka glibc) could allow a local attacker to obtain sensitive information, caused by a flaw when called with an untrusted, crafted pattern in thewordexp function. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain read arbitrary memory in parse_param (in posix/wordexp.c), or cause the application to crash.
CWE: CWE-190: Integer Overflow or Wraparound
CVSS Source: IBM X-Force
CVSS Base score: 7.7
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
CVEID: CVE-2022-3515
DESCRIPTION: GnuPG Libksba could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the CRL parser. By sending a specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CWE: CWE-190: Integer Overflow or Wraparound
CVSS Source: IBM X-Force
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2021-3711
DESCRIPTION: OpenSSL is vulnerable to a buffer overflow, caused by improper bounds checking by the EVP_PKEY_decrypt() function within implementation of the SM2 decryption. By sending specially crafted SM2 content, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CWE: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVSS Source: IBM X-Force
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2022-1292
DESCRIPTION: OpenSSL could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input by the c_rehash script. By sending a specially-crafted request using shell metacharacters, an attacker could exploit this vulnerability to execute arbitrary commands with the privileges of the script on the system.
CWE: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS Source: IBM X-Force
CVSS Base score: 6.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2022-2068
DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input by the c_rehash script. By sending a specially-crafted request using shell metacharacters, an attacker could exploit this vulnerability to execute arbitrary commands with the privileges of the script on the system.
CWE: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS Source: IBM X-Force
CVSS Base score: 7.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2022-32221
DESCRIPTION: cURL libcurl could allow a remote attacker to bypass security restrictions, caused by a flaw when using the read callback (CURLOPT_READFUNCTION) to ask for data to send. By sending a specially-crafted request, an attacker could exploit this vulnerability to send wrong data or doing a use-after-free is not present in libcurl code.
CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CVSS Source: IBM X-Force
CVSS Base score: 8.2
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L)
CVEID: CVE-2018-16840
DESCRIPTION: cURL is vulnerable to a denial of service, caused by a heap use-after-free flaw in the Curl_close function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-416: Use After Free
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-5481
DESCRIPTION: cURL libcurl is vulnerable to a denial of service, caused by a double free flaw during kerberos FTP data transfer. By sending a specially-crafted size of data, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CWE: CWE-415: Double Free
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-5482
DESCRIPTION: cURL libcurl is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the tftp_receive_packet function. By sending specially-crafted request containing an OACK without the BLKSIZE option, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CWE: CWE-122: Heap-based Buffer Overflow
CVSS Source: IBM X-Force
CVSS Base score: 6.3
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2018-16839
DESCRIPTION: cURL is vulnerable to a denial of service, caused by the incorrect verification of the passed-in lengths for the name and password fields by the Curl_auth_create_plain_message function. By sending a user name that exceeds 2 GB, an attacker could overflow a buffer and cause a denial of service.
CWE: CWE-122: Heap-based Buffer Overflow
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-16842
DESCRIPTION: cURL could allow a remote attacker to obtain sensitive information, caused by a heap-based buffer over-read in the tool_msgs.c:voutf() function. By sending an overly long message, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
CWE: CWE-125: Out-of-bounds Read
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
CVEID: CVE-2017-5932
DESCRIPTION: GNU Bash could allow a local authenticated attacker to execute arbitrary code on the system, caused by a flaw in the path autocompletion feature. By using a specially-crafted filename, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CWE: CWE-20: Improper Input Validation
CVSS Source: IBM X-Force
CVSS Base score: 7.8
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-18276
DESCRIPTION: GNU Bash could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a flaw in the disable_priv_mode in shell.c. By sending a specially-crafted command, an attacker could exploit this vulnerability to escalate privileges.
CWE: CWE-273: Improper Check for Dropped Privileges
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2022-1271
DESCRIPTION: GNU gzip could allow a remote authenticated attacker to bypass security restrictions, caused by improper validation of file name by the zgrep utility. By using a specially-crafted file name, an attacker could exploit this vulnerability to write arbitrary files or execute arbitrary code on the system.
CWE: CWE-179: Incorrect Behavior Order: Early Validation
CVSS Source: IBM X-Force
CVSS Base score: 8.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2021-39275
DESCRIPTION: Apache HTTP Server is vulnerable to a buffer overflow, caused by improper bounds checking by the ap_escape_quotes() function. By sending specially crafted input, a remote attacker could write beyond the end of a buffer.
CWE: CWE-787: Out-of-bounds Write
CVSS Source: IBM X-Force
CVSS Base score: 3.7
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2021-26691
DESCRIPTION: Apache HTTP Server is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the mod_session. By sending a specially crafted SessionHeader, a remote attacker could overflow a buffer and cause a denial of service.
CWE: CWE-122: Heap-based Buffer Overflow
CVSS Source: IBM X-Force
CVSS Base score: 5.9
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-31813
DESCRIPTION: Apache HTTP Server could allow a remote attacker to bypass security restrictions, caused by the failure to send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. An attacker could exploit this vulnerability to bypass IP based authentication on the origin server/application.
CWE: CWE-348: Use of Less Trusted Source
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2021-44790
DESCRIPTION: Apache HTTP Server is vulnerable to a buffer overflow, caused by improper bounds checking in the mod_lua multipart parser called from Lua scripts). By sending a specially crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CWE: CWE-787: Out-of-bounds Write
CVSS Source: IBM X-Force
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-11984
DESCRIPTION: Apache HTTP Server is vulnerable to a buffer overflow, caused by improper bounds checking by the mod_proxy_uwsgi module. By sending a specially-crafted HTTP request, a remote attacker could overflow a buffer and execute arbitrary code or obtain sensitive information on the system.
CWE: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVSS Source: IBM X-Force
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2022-22720
DESCRIPTION: Apache HTTP Server is vulnerable to HTTP request smuggling, caused by the failure to close inbound connection when errors are encountered discarding the request body. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CWE: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVSS Source: IBM X-Force
CVSS Base score: 7.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2022-23943
DESCRIPTION: Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write in mod_sed. By sending specially crafted data, an attacker could exploit this vulnerability to overwrite heap memory and execute arbitrary code on the system.
CWE: CWE-190: Integer Overflow or Wraparound
CVSS Source: IBM X-Force
CVSS Base score: 7.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2019-10082
DESCRIPTION: Apache HTTP Server could allow a remote attacker to obtain sensitive information, caused by a read-after-free in the mod_http2 module during connection shutdown. By sending specially crafted input, a remote attacker could exploit this vulnerability to obtain sensitive information.
CWE: CWE-416: Use After Free
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2022-28615
DESCRIPTION: Apache HTTP Server could allow a remote attacker to obtain sensitive information, caused by a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. An attacker could exploit this vulnerability to crash or disclose information.
CWE: CWE-190: Integer Overflow or Wraparound
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
CVEID: CVE-2022-22721
DESCRIPTION: Apache HTTP Server is vulnerable to a buffer overflow, caused by an integer overflow. If LimitXMLRequestBody is set to allow request bodies larger than 350MB, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CWE: CWE-190: Integer Overflow or Wraparound
CVSS Source: IBM X-Force
CVSS Base score: 7.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2021-40438
DESCRIPTION: Apache HTTP Server is vulnerable to server-side request forgery, caused by an error in mod_proxy. By sending a specially crafted request uri-path, a remote attacker could exploit this vulnerability to forward the request to an origin server chosen by the remote user.
CWE: CWE-918: Server-Side Request Forgery (SSRF)
CVSS Source: IBM X-Force
CVSS Base score: 9
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVEID: CVE-2023-4586
DESCRIPTION: Hot Rod client is vulnerable to a man-in-the-middle attack, caused by the failure to enable hostname validation when using TLS. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
CWE: CWE-20: Improper Input Validation
CVSS Source: IBM X-Force
CVSS Base score: 7.4
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2022-24903
DESCRIPTION: rsyslog is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the TCP syslog server (receiver) components. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CWE: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVSS Source: IBM X-Force
CVSS Base score: 8.1
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2022-41741
DESCRIPTION: F5 NGINX products are vulnerable to a denial of service, caused by a flaw in the ngx_http_mp4_module module. By using a specially-crafted audio or video file, a local authenticated attacker could exploit this vulnerability to corrupt NGINX worker memory, and results in a denial of service condition.
CWE: CWE-787: Out-of-bounds Write
CVSS Source: IBM X-Force
CVSS Base score: 7
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2021-3618
DESCRIPTION: Sendmail, vsftpd and NGINX could provide weaker than expected security, caused by an ALPACA (application layer protocol content confusion) attack, which exploits TLS servers implementing different protocols but using compatible certificates. By using man-in the-middle attack techniques, a remote attacker with access to victim's traffic at the TCP/IP layer could redirect traffic from one subdomain to another, resulting in a valid TLS session. The session breaks the authentication of TLS and the packages become vulnerable to cross-protocol attacks.
CWE: CWE-295: Improper Certificate Validation
CVSS Source: IBM X-Force
CVSS Base score: 7.4
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID: CVE-2022-41742
DESCRIPTION: F5 NGINX products are vulnerable to a denial of service, caused by a flaw in the ngx_http_mp4_module module. By using a specially-crafted audio or video file, a local authenticated attacker could exploit this vulnerability to corrupt NGINX worker memory, and results in a denial of service condition.
CWE: CWE-787: Out-of-bounds Write
CVSS Source: IBM X-Force
CVSS Base score: 7.1
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
| Watson Studio on Cloud Pak for Data | 4.0.0 through 4.8.6 and 5.0.0 through 5.0.3 releases |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by upgrading.
| Affected Product(s) | Version(s) | Remediation/Fix |
| Watson Studio on Cloud Pak for Data | 4.0.0 through 4.8.6 and 5.0.0 through 5.0.3 releases | Get the latest Watson Studio by upgrading to 5.1.0 or 4.8.7. Details here . |
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
03 Mar 2025: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
03 March 2025
Initial Publish date:
03 March 2025
UID
ibm17184671