Cybersecurity specialists report the detection of two severe vulnerabilities in IBM Cloud Application Business Insights, a popular enterprise computing solution. According to the report, successful exploitation of these flaws would allow threat actors to deploy dangerous attack scenarios.
Below are brief descriptions of the reported vulnerabilities, in addition to their respective tracking keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-45046: An incomplete update in Apache Log4j v2.15.0 to address the CVE-2021-44228 flaw would allow remote threat actors with control over thread context map (MDC) input data when the log configuration uses a non-default pattern layout with a context lookup (such as $$ {ctx: loginId}) or a thread context map pattern (%X,% mdc or % MDC) pass malicious data using a JNDI search pattern, leading to a denial-of-service (DoS) attack.
This is a critical flaw and received a CVSS score of 8.1/10, as its successful exploitation would put the affected system at total risk.
CVE-2021-45105: On the other hand, an infinite loop within the StrSubstitutor class would allow remote malicious hackers to pass a specially crafted entry to the application, consume all available system resources, and cause a DoS condition.
This is a flaw of medium severity and received a CVSS score of 6.7/10.
The flaws reside in the following versions of IBM Cloud Application Business Insights: v1.1.5, v1.1.6, and v1.1.7.
These flaws can be exploited by unauthenticated remote threat actors, plus cybersecurity experts have detected the public availability of exploits for each bug. Under such circumstances, specialists recommend upgrading to secure versions as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.