CVE-2020-4549

Vulnerability

IBM i2 Analyst Notebook version 9.2.1 (and possibly earlier versions) contains a memory corruption vulnerability. The flaw exists in the parsing of specially crafted files. An attacker can craft a malicious file that, when opened by a user in the application, triggers memory corruption. This requires the victim to have the application installed and to open the file [1].

Exploitation

An attacker must have local access to the system or be able to deliver the malicious file to the victim. No special privileges are required beyond user interaction. The attacker crafts a file that exploits the memory corruption and convinces the victim to open it using IBM i2 Analyst Notebook. The user interaction is necessary; no additional authentication is needed [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code on the victim's system with the privileges of the logged-on user. This can lead to full compromise of the system, including confidentiality, integrity, and availability impacts. The CVSS v3.0 base score is 7.8 (High) [1].

Mitigation

IBM has released a security bulletin addressing this vulnerability. Users should upgrade to the latest fixed version as specified in the bulletin. As of the publication date (2020-08-03), a fix is available. Refer to the IBM support page for details [1].