Lucene search

K
ibmIBM0204816A7AF9A939838902C9073F28137835C2E17451888C3BAED1BFCB7D899F
HistoryApr 20, 2023 - 1:36 p.m.

Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition

2023-04-2013:36:16
www.ibm.com
21
ibm sdk
java technology edition
cve-2022-21628
cve-2022-21626
cve-2022-21624
cve-2022-21619
oracle critical patch update
denial of service
security component
low integrity impact
x-force
cvss base score
developerworks license
software security bulletin

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.002

Percentile

59.5%

Summary

This bulletin covers all applicable Java SE CVEs published by Oracle as part of their October 2022 Critical Patch Update. For more information please refer to Oracle’s October 2022 CPU Advisory and the X-Force database entries referenced below.

Vulnerability Details

CVEID:CVE-2022-21628
**DESCRIPTION:**Java SE is vulnerable to a denial of service, caused by a flaw in the Lightweight HTTP Server. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238623 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-21626
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238689 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-21624
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to update, insert or delete data resulting in a low integrity impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238699 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2022-21619
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to update, insert or delete data resulting in a low integrity impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238698 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

7.1.0.0 - 7.1.5.15
8.0.0.0 - 8.0.7.15

For detailed information on which CVEs affect which releases, please refer to the IBM SDK, Java Technology Edition Security Vulnerabilities page.

Remediation/Fixes

7.1.5.16 (restricted access)
8.0.7.20

IBM SDK, Java Technology Edition releases can be downloaded, subject to the terms of the developerWorks license, from the Java Developer Center.

IBM customers requiring an update for an SDK shipped with an IBM product should contact IBM support, and/or refer to the appropriate product security bulletin.

APAR numbers are as follows:

IJ44182 (CVE-2022-21628)
IJ44184 (CVE-2022-21626)
IJ44188 (CVE-2022-21624)
IJ44190 (CVE-2022-21619)

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmjavaMatchany

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.002

Percentile

59.5%

Related for 0204816A7AF9A939838902C9073F28137835C2E17451888C3BAED1BFCB7D899F