IBM observability software patched against critical bugs

IBM’s Instana Observability software needs patching against critical vulnerabilities in Node.js components.

In an advisory, the vendor explained that CVE-2023-42282 is a flaw in the Node.js IP processing.

“Some IP addresses … are improperly categorised as globally routable by isPublic”, the advisory stated.

IBM’s advisory adds that the Node.js package “could allow a remote attacker to execute arbitrary code on the system, caused by a server-side request forgery flaw in the ip.isPublic() function.

“An attacker could exploit this vulnerability to execute arbitrary code on the system and obtain sensitive information.”

The second advisory covers two sandbox escapes inherited by Instana Observability: CVE-2023-37903 and CVE-2023-37466.

CVE-2023-37903 is a flaw in the custom inspect function of the Node.js virtual machine module. Successful exploitation, IBM said, could let an attacker escape the sandbox and execute arbitrary code on the target.

CVE-2023-37466 is a sandbox escape in the Node.js virtual machine module’s Promise handler, also offering arbitrary code execution on the target.

There’s also a lower-rated vulnerability, CVE-2023-22041, in JavaSE’s virtual machine, which has “high confidentiality impacts” and has a CVSS score of 5.1.

Customers are advised to update to a fixed release.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts