Multiple Critical Vulnerabilities in IBM Instana Observability (CVE-2023-42282, CVE-2023-37466 and CVE-2023-37903)

Advisory No: TZCERT/SA/2024/03/13-03

Date of First Release: 13^th March 2024

Source: IBM

Software Affected: IBM Instana Observability

Overview:

IBM has released security patches to address critical vulnerabilities affecting IBM Instana Observability. The vulnerabilities could allow an attacker to execute arbitrary code on the affected system.

Description:

IBM Instana Observability is affected with arbitrary code execution vulnerabilities as the result of sandbox escape flaw and server-side request forgery flaw in the Promise handler Node.js vm2 and Node.js IP package respectively. Successful exploitation of these vulnerabilities could allow the attacker to obtain sensitive information and execute arbitrary code on the system.

Impact:

Successful exploitation of these vulnerabilities may allow the attacker to take control of affected IBM Instana Observability versions.

Solution:

IBM has released patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

1. https://www.ibm.com/support/pages/node/7139917
2. https://www.ibm.com/support/pages/node/7139922
3. https://www.ibm.com/support/pages/node/7139922