IBM patches Instana Observability software, fixes Node.js flaws

IBM's Instana Observability software has been patched for critical security vulnerabilities of its Node.js components, and several lower severity issues.

• The first critical vulnerability is tracked as CVE-2023-42282 (CVSS score 9.8), a flaw within Node.js IP processing functionality. Specifically, the issue arises from certain IP addresses being incorrectly recognized as globally routable by the `isPublic` function. This misclassification could enable a remote attacker to leverage a server-side request forgery (SSRF) flaw present in the `ip.isPublic()` function, consequently executing arbitrary code on the affected system and potentially accessing sensitive information.
• IBM's has also patched two vulnerabilities concerning sandbox escapes in the Instana Observability software, identified as CVE-2023-37903 and CVE-2023-37466 (both CVSS score 9.8). CVE-2023-37903 is attributed to a vulnerability in the custom inspect function within Node.js's virtual machine module, which could permit an attacker to bypass the sandbox restrictions and execute arbitrary code on the target system. Similarly, CVE-2023-37466 involves a sandbox escape vulnerability in the virtual machine module's Promise handler, again allowing for arbitrary code execution.

Apart from these, a lower severity vulnerability, CVE-2023-22041, was also reported in JavaSE's virtual machine, marked by a CVSS score of 5.1 and noted for its "high confidentiality impacts."

IBM strongly recommends that customers update their Instana Observability software to a patched release as soon as possible.