Security Bulletin: IBM Operational Decision Manager April 2023 - Multiple CVEs

Summary

This Security Bulletin addresses the security vulnerabilities that have been fixed within the IBM Operational Decision Manager. This product now includes fixes for the following security vulnerabilities.

Vulnerability Details

CVEID:CVE-2022-1471
**DESCRIPTION:**SnakeYaml could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Constructor class. By using a specially-crafted yaml content, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241118 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)

CVEID:CVE-2023-20861
**DESCRIPTION:**VMware Tanzu Spring Framework is vulnerable to a denial of service. By sending a specially crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250701 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-1370
**DESCRIPTION:**netplex json-smart-v2 is vulnerable to a denial of service, caused by not limiting the nesting of arrays or objects. By sending a specially crafted input, a remote attacker could exploit this vulnerability to cause a stack exhaustion and crash the software.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249885 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-20860
**DESCRIPTION:**VMware Tanzu Spring Framework could allow a remote attacker to bypass security restrictions, caused by the use of an un-prefixed double wildcard pattern with the mvcRequestMatcher in Spring Security configuration. An attacker could exploit this vulnerability to create a mismatch in pattern matching between Spring Security and Spring MVC.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250679 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

IBM Operational Decision Manager V8.10.5.1:

Interim fix 34 for DT211502 is available from IBM Fix Central:

• 8.10.5.1-WS-ODM_K8S-PPC64LE-IF034
• 8.10.5.1-WS-ODM_K8S-PPC64LE-IF034
• 8.10.5.1-WS-ODM_K8S-LIN_X86-IF034
• 8.10.5.1-WS-ODM_DC-IF034
• 8.10.5.1-WS-ODM_DS-IF034
• 8.10.5.1-WS-ODM_ENG-IF034

IBM Operational Decision Manager V8.11.0.1:

Interim fix 17 for DT211502 is available from IBM Fix Central:

• 8.11.0.1-WS-ODM-IF017
• 8.11.0.1-WS-ODM_K8S-PPC64LE-IF017
• 8.11.0.1-WS-ODM_K8S-LIN_S390-IF017
• 8.11.0.1-WS-ODM_K8S-LIN_X86-IF017

IBM Operational Decision Manager V8.11.1:

Interim fix 5 for DT211502 is available from IBM Fix Central:

• 8.11.1.0-WS-ODM_K8S-LIN_S390-IF005
• 8.11.1.0-WS-ODM_K8S-PPC64LE-IF005
• 8.11.1.0-WS-ODM_K8S-LIN_X86-IF005
• 8.11.1.0-WS-ODM-IF005

Workarounds and Mitigations

None