IBM has disclosed critical and high-severity vulnerabilities in Spectrum Protect, Big Blue’s security tool under the umbrella of its Spectrum data storage software branding. The most severe of these flaws could cause a remote attacker to execute arbitrary code on impacted systems.
Overall, IBM disclosed seven CVEs across a slew of its data storage and management tools. That includes IBM’s Planning Analytics data analysis tool, IBM Security Guardium data protection platform and the IBM Daeja ViewONE web-based image viewer.
The worst flaw is a critical vulnerability (CVE-2019-4087) impacting the servers and storage agents that are supposed to be protected by Spectrum Protect, IBM’s data security platform that centralizes control for enterprise backup and recovery.
The flaw, which has a CVSS Score of 9.8 out of 10, is a stack-based buffer overflow vulnerability that stems from improper bounds checking in the servers and storage agents that make up Spectrum Protect. Impacted are versions 7.1 and 8.1 of the platform.
“By sending an overly long request, a remote attacker could overflow a buffer and execute arbitrary code on the system with instance id privileges or cause the server or storage agent to crash,” according to IBM’s support page.
Another high-severity flaw (CVE-2019-4088) in the IBM Spectrum Protect could allow a local attacker to gain elevated privileges on impacted systems. This flaw is triggered by loading a specially crafted library via the ‘dsmqsan’ module of the platform. By loading this library, a local attacker could gain root privileges on the vulnerable system.
Also patched was a medium-severity glitch (CVE-2019-4140) in IBM Spectrum Protect could allow a local user to replace existing databases by restoring old data; and a final low-severity flaw in the platform’s operations center (CVE-2019-4129) that could allow a remote attacker to obtain sensitive information.
Impacted users are urged to update to version 8.1.8 or 7.1.9.300 (downloads are available here).
IBM Security Guardium, IBM’s tool to prevent leaks from databases and warehouses, also has a high-severity vulnerability (CVE-2019-4292), with a CVSS score of 8.8 out of 10. The flaw, which exists in IBM Security Guardium 10.5, could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable web server.
Other flaws include two medium-severity glitches; including a cross-site scripting flaw in IBM Planning Analytics 2.0 (CVE-2019-4134) that could potentially lead to credentials disclosure; and an information disclosure glitch (CVE-2019-4260) in IBM Daeja ViewONE Virtual 5.0 – 5.0.5.