Security Bulletin: IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to FasterXML jackson-databind [CVE-2022-42003, CVE-2022-42004]

Summary

FasterXML jackson-databind is used by IBM OpenPages for IBM Cloud Pak for Data. Several vulnerabilities in this component have been addressed.

Vulnerability Details

CVEID:CVE-2022-42003
**DESCRIPTION:**FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in the primitive value deserializers when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. By sending a specially-crafted request using deep wrapper array nesting, a local attacker could exploit this vulnerability to exhaust all available resources.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237662 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-42004
**DESCRIPTION:**FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in in the BeanDeserializer._deserializeFromArray function. By sending a specially-crafted request using deeply nested arrays, a local attacker could exploit this vulnerability to exhaust all available resources.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237660 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

If you are using IBM OpenPages for IBM Cloud Pak for Data 8.300.x and 8.301.x, you will need to upgrade to

1. IBM Cloud Pak for Data Version 4.6.3or later** **

2. IBM OpenPages for IBM Cloud Pak for Data 8.302.0or later** **

Upgrade installation instructions are provided at the URL listed below:

https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=openpages-upgrading

Workarounds and Mitigations

None