IBM1000EA94DEFA2EB3AF460BF1510136CD4F1CDF024F55805AA14EE63E59B49F4CSecurity Bulletin: Multiple Vulnerabilities in Apache Ivy affect IBM Cloud Pak System
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
7.4 High
AI Score
Confidence
Low
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
0.002 Low
EPSS
Percentile
52.9%
Summary
Vulnerabilities found in Apache Ivy affect IBM Cloud Pak System.
Vulnerability Details
CVEID:CVE-2022-46751
**DESCRIPTION:**Apache Ivy could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the XML parser. By using a specially crafted XML content, a remote attacker could exploit this vulnerability to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264003 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)
CVEID:CVE-2022-37865
**DESCRIPTION:**Apache Ivy could allow a local authenticated attacker to traverse directories on the system, caused by improper validation of user supplied input. An attacker could use a specially-crafted archive file containing โdot dotโ sequences (/โฆ/) to write arbitrary files on the system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239423 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
CVEID:CVE-2022-37866
**DESCRIPTION:**Apache Ivy could allow a remote attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially-crafted URL request containing โdot dotโ sequences (/โฆ/) to overwrite arbitrary files on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239567 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Cloud Pak System | 2.3.1.1, 2.3.20 (Power) |
| IBM Cloud Pak System | 2.3.3.7 (Power) |
Remediation/Fixes
For unsupported version/release/platform IBM recommends upgrading to a fixed, supported /release/platform of the product.
For IBM Cloud Pak System v2.3.1.1, v2.3.2.0
upgrade to Cloud Pak System v2.3.3.7, then apply Cloud Pak System v2.3.3.7 Interim Fix 1
Information on upgrading to Cloud Pak System v.2.3.3.7 at https://www.ibm.com/support/pages/node/6982511
For Cloud Pak System V2.3.3.7, apply Cloud Pak System V2.3.3.7 Interim Fix 1.
information on upgrading available at <http://www.ibm.com/support/docview.wss?uid=ibm10887959>
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm cloud pak system software | eq | 2.3 |
Related
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
7.4 High
AI Score
Confidence
Low
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
0.002 Low
EPSS
Percentile
52.9%