Security Bulletin: Vulnerability in Jettison affects IBM Process Mining . CVE-2022-45685 + CVE-2022-45693

Summary

There is a vulnerability in Jettison that could allow a remote attacker to cause a denial of service. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability.

Vulnerability Details

CVEID:CVE-2022-45685
**DESCRIPTION:**Jettison is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending an overly long string using JSON data, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242596 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-45693
**DESCRIPTION:**Jettison is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242274 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Remediation/Fixes

Remediation/Fixes guidance:

Upgrade to version 1.14.0.0

1.Login to PassPortAdvantage

2. Search for
M0BMPML Process Mining 1.14.0.0 Server Multiplatform Multilingual

3. Download package

4. Follow install instructions

5. Repeat for M0BMQML Process Mining 1.14.0.0 Client Windows Multilingual

| |

Workarounds and Mitigations

Workarounds/Mitigation guidance:

None known