IBM has revealed multiple critical and high-severity flaws across a range of products, the most severe of which can be found in its IBM Spectrum Protect tool. Researchers say the most severe of these flaws could cause a remote attacker to execute arbitrary code on impacted systems.
So far, IBM has disclosed seven CVEs across its data storage and management tools. This includes IBM’s Planning Analytics data analysis tool, IBM Security Guardium data protection platform and the IBM Daeja ViewONE web-based image viewer.
The worst is the CVE-2019-4087 vulnerability impacting the servers and storage agents that are supposed to be protected by the Spectrum Protect. The flaw, which has a CVSS Score of 9.8 out of 10, is a stack-based buffer overflow vulnerability that stems from improper bounds checking in the servers and storage agents that make up Spectrum Protect. Impacted are versions 7.1 and 8.1 of the platform.
“By sending an overly long request, a remote attacker could overflow a buffer and execute arbitrary code on the system with instance id privileges or cause the server or storage agent to crash,” says IBM’s support page.
Another high-severity flaw (CVE-2019-4088) in the IBM Spectrum Protect could allow a local attacker to gain elevated privileges on impacted systems. Also patched was a medium-severity glitch in IBM Spectrum Protect could allow a local user to replace existing databases by restoring old data; and a final low-severity flaw in the platform’s operations center (CVE-2019-4129) that could allow a remote attacker to obtain sensitive information.
IBM has urged impacted users to upgrade to version 8.1.8 or 126.96.36.1990.