IBM observability software patched against critical bugs

IBM’s Instana Observability software needs patching against critical vulnerabilities in Node.js components.

In an advisory, the vendor explained that CVE-2023-42282 is a flaw in the Node.js IP processing.

“Some IP addresses … are improperly categorised as globally routable by isPublic”, the advisory stated.

IBM’s advisory adds that the Node.js package “could allow a remote attacker to execute arbitrary code on the system, caused by a server-side request forgery flaw in the ip.isPublic() function.

"An attacker could exploit this vulnerability to execute arbitrary code on the system and obtain sensitive information.”

The second advisory covers two sandbox escapes inherited by Instana Observability: CVE-2023-37903 and CVE-2023-37466.

CVE-2023-37903 is a flaw in the custom inspect function of the Node.js virtual machine module. Successful exploitation, IBM said, could let an attacker escape the sandbox and execute arbitrary code on the target.

CVE-2023-37466 is a sandbox escape in the Node.js virtual machine module’s Promise handler, also offering arbitrary code execution on the target.

There’s also a lower-rated vulnerability, CVE-2023-22041, in JavaSE’s virtual machine, which has “high confidentiality impacts” and has a CVSS score of 5.1.

Customers are advised to update to a fixed release.