IBM Support

Security Bulletin: IBM Planning Analytics Workspace is affected by vulnerabilities in multiple Open Source Software (OSS) components

Security Bulletin


Summary

There are vulnerabilities in multiple Open Source Software (OSS) components consumed by IBM Planning Analytics Workspace. These issues have been addressed in IBM Planning Analytics 2.1.3 and IBM Planning Analytics 2.0.96 by upgrading or removing the vulnerable libraries. Please refer to the table in the Related Information section for vulnerability impact. This Security Bulletin relates only to the direct usage of third-party components by IBM Planning Analytics Workspace, and not any nested dependencies within the product.

Vulnerability Details

CVEID:   CVE-2023-49083
DESCRIPTION:   Cryptography package for Python is vulnerable to a denial of service, caused by a NULL pointer dereference when loading PKCS7 certificates. By deserializing a specially crafted PKCS7 blob/certificate, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/272510 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2024-29041
DESCRIPTION:   Express.js Express could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286404 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:   CVE-2024-29025
DESCRIPTION:   Netty is vulnerable to a denial of service, caused by a flaw when using the HttpPostRequestDecoder to decode a form. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286403 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2024-31889
DESCRIPTION:   IBM Planning Analytics Local is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288136 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:   CVE-2024-23944
DESCRIPTION:   Apache ZooKeeper could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in persistent watchers handling. By attaching a persistent watcher to a parent, an attacker could exploit this vulnerability to obtain information of the full path of znodes, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285579 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2023-1370
DESCRIPTION:   netplex json-smart-v2 is vulnerable to a denial of service, caused by not limiting the nesting of arrays or objects. By sending a specially crafted input, a remote attacker could exploit this vulnerability to cause a stack exhaustion and crash the software.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249885 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2024-31908
DESCRIPTION:   IBM Planning Analytics Local is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/289890 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

CVEID:   CVE-2021-31684
DESCRIPTION:   netplex JSON Smart is vulnerable to a denial of service, caused by a flaw in the indexOf function of JSONParserByteArray. By sending a specially-crafted web request, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202818 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2024-0727
DESCRIPTION:   OpenSSL is vulnerable to a denial of service, caused by improper input validation. By persuading a victim to open a specially crafted PKCS12 file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/280532 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:   CVE-2024-23082
DESCRIPTION:   ThreeTen Backport is vulnerable to a denial of service, caused by an integer overflow in the org.threeten.bp.format.DateTimeFormatter::parse(CharSequence, ParsePosition) component. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287387 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2024-23081
DESCRIPTION:   ThreeTen Backport is vulnerable to a denial of service, caused by a NullPointerException flaw in the org.threeten.bp.LocalDate::compareTo(ChronoLocalDate) component. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287386 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2024-31907
DESCRIPTION:   IBM Planning Analytics Local is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/289889 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:   CVE-2023-45725
DESCRIPTION:   Apache CouchDB could allow a local attacker to gain elevated privileges on the system, caused by a flaw when using design document functions. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to gain elevated privileges to insert the design documents into the database, then manipulate a user to access a function from that design document.
CVSS Base score: 6.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/274772 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:   CVE-2023-50782
DESCRIPTION:   Python Cryptographic Authority cryptography could allow a remote attacker to obtain sensitive information, caused by a flaw when decrypting captured messages in TLS servers that use RSA key exchanges. By utilize cryptographic attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/281614 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2024-26130
DESCRIPTION:   cryptography is vulnerable to a denial of service, caused by a NULL pointer dereference in the pkcs12.serialize_key_and_certificates process. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283820 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2021-38295
DESCRIPTION:   Apache CouchDB could allow a remote attacker to gain elevated privileges on the system, caused by improper input validation. By persuading a victim to open specially-crafted content, an authenticated attacker could exploit this vulnerability to gain elevated privileges to add or remove data in any database or make configuration changes.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211218 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:   CVE-2022-24706
DESCRIPTION:   Apache CouchDB could allow a remote attacker to gain elevated privileges on the system, caused by improper access control to an improperly secured default installation. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain admin privileges to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225177 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2022-3647
DESCRIPTION:   Redis is vulnerable to a denial of service, caused by a flaw in the sigsegvHandler function in debug.c in the Crash Report component. By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 2.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246835 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2024-22262
DESCRIPTION:   VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in UriComponentsBuilder. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287586 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

CVEID:   CVE-2020-28483
DESCRIPTION:   Gin-Gonic Gin Web Framework is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195394 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)

CVEID:   CVE-2023-26125
DESCRIPTION:   Gin-Gonic Gin could allow a remote attacker to bypass security restrictions, caused by improper input validation. By sending a specially-crafted request using the X-Forwarded-Prefix header, an attacker could exploit this vulnerability to perform cache poisoning attacks.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254482 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:   CVE-2020-36567
DESCRIPTION:   Gin-Gonic Gin Web Framework could allow a remote attacker to bypass security restrictions, caused by improper input validation by the default logger. By sending a specially-crafted request, an attacker could exploit this vulnerability to inject arbitrary log lines.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/243412 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L)

CVEID:   CVE-2023-29401
DESCRIPTION:   Gin-Gonic Gin Web Framework could allow a remote attacker to bypass security restrictions, caused by improper input validation by the filename parameter of the Context.FileAttachment function. By using a specially-crafted attachment file name, an attacker could exploit this vulnerability to modify the Content-Disposition header.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255449 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:   CVE-2023-52428
DESCRIPTION:   Connect2id Nimbus-JOSE-JWT is vulnerable to a denial of service, caused by improper validation of user requests by the PasswordBasedDecrypter (PBKDF2) component. By sending a specially crafted request using a large JWE p2c header, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/284044 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2024-27088
DESCRIPTION:   medikoo es5-ext is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By providing specially crafted regex input, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/284319 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)Version(s)
IBM Planning Analytics Local - IBM Planning Analytics Workspace2.1
IBM Planning Analytics Local - IBM Planning Analytics Workspace2.0

Remediation/Fixes

It is strongly recommended that you apply the most recent security updates:
 
Affected Product(s)VersionFix
IBM Planning Analytics Local - IBM Planning Analytics Workspace2.1Download IBM Planning Analytics Local v2.1: Planning Analytics Workspace Release 3 (2.1.3) from Fix Central
IBM Planning Analytics Local - IBM Planning Analytics Workspace2.0Download IBM Planning Analytics Local v2.0: Planning Analytics Workspace Release 96 from Fix Central


IBM Planning Analytics Workspace cloud environments have been remediated.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Definitions:

Affected: The software product contains code, which has a documented vulnerability. Based on currently available information, however, we believe that the issue is likely not exploitable. However, as a best practice and from an abundance of caution, we recommend customers update their systems as soon as practical. Vulnerabilities evolve, and a means of exploiting any issue may emerge at any time.

Vulnerable: The software product contains code, which has a documented vulnerability. Our analysis shows that the issue may be exploitable.

Affected/Vulnerable Products and Versions: As used in IBM Security Bulletins, this category is intended to be only products and versions that are supported by IBM, and have not passed their end-of-support or warranty date. Thus, not including a reference in a Security Bulletin to unsupported or extended-support products or versions does not indicate a determination by IBM that they are unaffected by the vulnerability. Additionally, including a reference to one or more unsupported versions in a Security Bulletin (including reference to "All" versions) does not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

 

DependencyCVEImpact
N/ACVE-2024-31907Vulnerable
N/ACVE-2024-31908Vulnerable
N/ACVE-2024-31889Vulnerable
Apache CouchDBCVE-2023-45725Affected
CVE-2021-38295Affected
CVE-2023-45725Affected
Apache ZookeeperCVE-2024-23944Affected
Connect2id Nimbus JOSE+JWTCVE-2023-52428Affected
Go Gin-GonicCVE-2023-29401Affected
CVE-2020-28483, Affected
CVE-2023-26125Affected
 CVE-2020-36567Affected
medikoo es5-extCVE-2024-27088Affected
Netplex json-smartCVE-2021-31684Affected
CVE-2023-1370Affected
NettyCVE-2024-29025Affected
Node.js expressCVE-2024-29041Affected
Python cryptographyCVE-2023-49083Affected
CVE-2024-26130Affected
CVE-2023-50782Affected
CVE-2024-0727Affected
RedisCVE-2022-3647Affected
Threeten BackportCVE-2024-23081Affected
CVE-2024-23082Affected
VMWare Tanzu Spring FrameworkCVE-2024-22262Affected

Acknowledgement

Change History

30 May 2024: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCTEW","label":"IBM Planning Analytics Local"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
30 May 2024

UID

ibm17151122

Page Feedback