Security Bulletin: IBM Storage Defender: Data Protect vulnerabilities resolved in release Defender 2.0.14/Data Protect 7.2.2

Security Bulletin

Summary

Security Bulletin: IBM Storage Defender: Data Protect vulnerabilities resolved in release Defender 2.0.14/Data Protect 7.2.2_u1. The vulnerabilities have been addressed in Data Protect 7.2.2_u1, which is included with IBM Storage Defender 2.0.14.

Vulnerability Details

CVEID: CVE-2023-26118
DESCRIPTION: Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
CWE: CWE-1333: Inefficient Regular Expression Complexity
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2024-52337
DESCRIPTION: A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick the administrator. The quotes '' are usually used in TuneD logs citing raw user input, so there will always be the ' character ending the spoofed input, and the administrator can easily overlook this. This logged string is later used in logging and in the output of utilities, for example, `tuned-adm get_instances` or other third-party programs that use Tuned's D-Bus interface for such operations.
CWE: CWE-20: Improper Input Validation
CVSS Source: IBM X-Force
CVSS Base score: 5.5
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2022-41724
DESCRIPTION: Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
CWE: CWE-400: Uncontrolled Resource Consumption
CVSS Source: IBM X-Force
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2023-26117
DESCRIPTION: Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
CWE: CWE-1333: Inefficient Regular Expression Complexity
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2023-29403
DESCRIPTION: On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
CWE: CWE-668: Exposure of Resource to Wrong Sphere
CVSS Source: IBM X-Force
CVSS Base score: 7.8
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2023-26116
DESCRIPTION: Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
CWE: CWE-1333: Inefficient Regular Expression Complexity
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2022-25869
DESCRIPTION: All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of elements. CWE: <a href="<a href="https://cwe.mitre.org/data/definitions/79.html&#34">https://cwe.mitre.org/data/definitions/79.html&#34</a>; target="_blank">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a> CVSS Source: IBM X-Force CVSS Base score: 4.2 CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N) CVEID: <a href="<a href="https://www.cve.org/CVERecord?id=CVE-2024-36114&#34">https://www.cve.org/CVERecord?id=CVE-2024-36114&#34</a>; target="_blank">CVE-2024-36114</a> DESCRIPTION: Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memory of the Java process (which could contain sensitive information). When decompressing certain data, the decompressors try to access memory outside the bounds of the given byte arrays or byte buffers. Because Aircompressor uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. Users should update to Aircompressor 0.27 or newer where these issues have been fixed. When decompressing data from untrusted users, this can be exploited for a denial-of-service attack by crashing the JVM, or to leak other sensitive information from the Java process. There are no known workarounds for this issue. CWE: <a href="<a href="https://cwe.mitre.org/data/definitions/125.html&#34">https://cwe.mitre.org/data/definitions/125.html&#34</a>; target="_blank">CWE-125: Out-of-bounds Read</a> CVSS Source: IBM X-Force CVSS Base score: 8.6 CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H) CVEID: <a href="<a href="https://www.cve.org/CVERecord?id=CVE-2024-21490&#34">https://www.cve.org/CVERecord?id=CVE-2024-21490&#34</a>; target="_blank">CVE-2024-21490</a> DESCRIPTION: This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. **Note:** This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](<a href="https://www.npmjs.com/package/@angular/core">https://www.npmjs.com/package/@angular/core</a>). CWE: <a href="<a href="https://cwe.mitre.org/data/definitions/1333.html&#34">https://cwe.mitre.org/data/definitions/1333.html&#34</a>; target="_blank">CWE-1333: Inefficient Regular Expression Complexity</a> CVSS Source: IBM X-Force CVSS Base score: 7.5 CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: <a href="<a href="https://www.cve.org/CVERecord?id=CVE-2024-52530&#34">https://www.cve.org/CVERecord?id=CVE-2024-52530&#34</a>; target="_blank">CVE-2024-52530</a> DESCRIPTION: GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chunked" header. CWE: <a href="<a href="https://cwe.mitre.org/data/definitions/444.html&#34">https://cwe.mitre.org/data/definitions/444.html&#34</a>; target="_blank">CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')</a> CVSS Source: IBM X-Force CVSS Base score: 6.5 CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) CVEID: <a href="<a href="https://www.cve.org/CVERecord?id=CVE-2019-10172&#34">https://www.cve.org/CVERecord?id=CVE-2019-10172&#34</a>; target="_blank">CVE-2019-10172</a> DESCRIPTION: A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes. CWE: <a href="<a href="https://cwe.mitre.org/data/definitions/611.html&#34">https://cwe.mitre.org/data/definitions/611.html&#34</a>; target="_blank">CWE-611: Improper Restriction of XML External Entity Reference</a> CVSS Source: IBM X-Force CVSS Base score: 5.9 CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) CVEID: <a href="<a href="https://www.cve.org/CVERecord?id=CVE-2013-2419&#34">https://www.cve.org/CVERecord?id=CVE-2013-2419&#34</a>; target="_blank">CVE-2013-2419</a> DESCRIPTION: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to affect availability via unknown vectors related to 2D. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "font processing errors" in the International Components for Unicode (ICU) Layout Engine before 51.2. CVSS Source: IBM X-Force CVSS Base score: 5.3 CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: <a href="<a href="https://www.cve.org/CVERecord?id=CVE-2024-38428&#34">https://www.cve.org/CVERecord?id=CVE-2024-38428&#34</a>; target="_blank">CVE-2024-38428</a> DESCRIPTION: url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. CWE: <a href="<a href="https://cwe.mitre.org/data/definitions/436.html&#34">https://cwe.mitre.org/data/definitions/436.html&#34</a>; target="_blank">CWE-436: Interpretation Conflict</a> CVSS Source: IBM X-Force CVSS Base score: 5.4 CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) CVEID: <a href="<a href="https://www.cve.org/CVERecord?id=CVE-2018-12617&#34">https://www.cve.org/CVERecord?id=CVE-2018-12617&#34</a>; target="_blank">CVE-2018-12617</a> DESCRIPTION: qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket. CWE: <a href="<a href="https://cwe.mitre.org/data/definitions/190.html&#34">https://cwe.mitre.org/data/definitions/190.html&#34</a>; target="_blank">CWE-190: Integer Overflow or Wraparound</a> CVSS Source: IBM X-Force CVSS Base score: 5.3 CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: <a href="<a href="https://www.cve.org/CVERecord?id=CVE-2015-3202&#34">https://www.cve.org/CVERecord?id=CVE-2015-3202&#34</a>; target="_blank">CVE-2015-3202</a> DESCRIPTION: fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable that is used by mount's debugging feature. CWE: <a href="<a href="https://cwe.mitre.org/data/definitions/264.html&#34">https://cwe.mitre.org/data/definitions/264.html&#34</a>; target="_blank">CWE-264: Permissions, Privileges, and Access Controls</a> CVSS Source: IBM X-Force CVSS Base score: 7.2 CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C) CVEID: <a href="<a href="https://www.cve.org/CVERecord?id=CVE-2018-1125&#34">https://www.cve.org/CVERecord?id=CVE-2018-1125&#34</a>; target="_blank">CVE-2018-1125</a> DESCRIPTION: procps-ng before version 3.3.15 is vulnerable to a stack buffer overflow in pgrep. This vulnerability is mitigated by FORTIFY, as it involves strncat() to a stack-allocated string. When pgrep is compiled with FORTIFY (as on Red Hat Enterprise Linux and Fedora), the impact is limited to a crash. CWE: <a href="<a href="https://cwe.mitre.org/data/definitions/121.html&#34">https://cwe.mitre.org/data/definitions/121.html&#34</a>; target="_blank">CWE-121: Stack-based Buffer Overflow</a> CVSS Source: IBM X-Force CVSS Base score: 7.3 CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: <a href="<a href="https://www.cve.org/CVERecord?id=CVE-2019-18276&#34">https://www.cve.org/CVERecord?id=CVE-2019-18276&#34</a>; target="_blank">CVE-2019-18276</a> DESCRIPTION: An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected. CWE: <a href="<a href="https://cwe.mitre.org/data/definitions/273.html&#34">https://cwe.mitre.org/data/definitions/273.html&#34</a>; target="_blank">CWE-273: Improper Check for Dropped Privileges</a> CVSS Source: IBM X-Force CVSS Base score: 8.8 CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVEID: <a href="<a href="https://www.cve.org/CVERecord?id=CVE-2022-25844&#34">https://www.cve.org/CVERecord?id=CVE-2022-25844&#34</a>; target="_blank">CVE-2022-25844</a> DESCRIPTION: The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher. CWE: <a href="<a href="https://cwe.mitre.org/data/definitions/1333.html&#34">https://cwe.mitre.org/data/definitions/1333.html&#34</a>; target="_blank">CWE-1333: Inefficient Regular Expression Complexity</a> CVSS Source: IBM X-Force CVSS Base score: 5.3 CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Storage Defender - Data Protect	2.0.0-2.0.13

Remediation/Fixes

Action Required: IBM strongly recommends updating IBM Storage Defender to version 2.0.14. This IBM Storage Defender provides the Data Protect 7.2.2_u1 software level.
Reference this document Download Information: IBM Storage Defender 2.x Data Protect which describes how to download installation images for IBM Storage Defender. Link to Fix Central: IBM Storage Defender 2.0.14

Workarounds and Mitigations

Upgrade IBM Storage Defender to version 2.0.14.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Acknowledgement

Change History

23 Jun 2025: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSDR5G6","label":"IBM Storage Defender"},"Component":"Data Protect","Platform":[{"code":"PF016","label":"Linux"}],"Version":"2.0.0-2.013","Edition":"","Line of Business":{"code":"LOB69","label":"Storage TPS"}}]

Was this topic helpful?

Document Information

Modified date:
23 June 2025

Initial Publish date:
23 June 2025

UID

ibm17235773

Tips

Security Bulletin: IBM Storage Defender: Data Protect vulnerabilities resolved in release Defender 2.0.14/Data Protect 7.2.2_u1