A huge collection of 3400+ free website templates JAR theme com WP themes and more at the biggest community-driven free web design site
Home / security-advisories / Arbitrary Code Execution Vulnerabilities in Multiple IBM Products (CVE-2023-45871, CVE-2023-39320, CVE-2023-51385)

Arbitrary Code Execution Vulnerabilities in Multiple IBM Products (CVE-2023-45871, CVE-2023-39320, CVE-2023-51385)

Advisory No: TZCERT/SA/2024/05/24-1

Date of First Release: 24th May 2024

Source: IBM

Software Affected: IBM Cloud Object System, IBM QRadar SIEM, IBM Security Guardium, IBM Storage Copy, IBM Storage Protect, IBM Storage Scale System, IBM Cloud Pak for Data Scheduling, IBM Spectrum Protect Plus, IBM AIX IBM i, IBM QRadar, IBM VIOS

Overview:

Multiple IBM products are vulnerable to critical vulnerabilities. The attackers can leverage the vulnerability to execute arbitrary code on the affected system.

Description:

Rated at 9.8 and tracked as CVE-2023-45871, CVE-2023-39320, CVE-2023-51385, the vulnerabilities affect Linux kernel, golang, and OpenSSH respectively. The flaws exist as a result of improper bounds checking by the IGB driver in drivers/net/ethernet/intel/igb/igb_main.c in Linux kernel, go.mod toolchain directive in golang and improper validation of shell metacharacters in OpenSSH. The attackers can send specially crafted messages to execute arbitrary code on the vulnerable system.

Impact:

Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected system.

Solution:

IBM has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

  1. https://exchange.xforce.ibmcloud.com/vulnerabilities/268717
  2. https://exchange.xforce.ibmcloud.com/vulnerabilities/265873
  3. https://exchange.xforce.ibmcloud.com/vulnerabilities/275402

Check Also

High severity vulnerabilities in HPE ProLiant and HPE Edgeline Servers Using BIOS (PixieFail) (CVE-2023-45229, CVE-2023-45230, CVE-2023-45234, CVE-2023-45235, CVE-2021-38575)

Advisory No: TZCERT/SA/2024/05/31-2 Date of First Release: 31st May 2024 Source: Hewlett-Packard (HP) Software Affected: …