Lucene search

K
ibmIBM186B70A46AA8E0019EA1FA3AD7C84BE2123190D3E9ECBD8080B8E32748EE5D8E
HistoryJun 22, 2022 - 5:20 p.m.

Security Bulletin: Multiple Vulnerabilities in WebSphere Liberty affecting Watson Knowledge Catalog for IBM Cloud Pak for Data

2022-06-2217:20:36
www.ibm.com
9

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.014 Low

EPSS

Percentile

86.2%

Summary

WebSphere liberty is vulnerable to a DOS that is impacting Watson Knowledge Catalog for IBM Cloud Pak for Data. This vulnerability has been addressed.

Vulnerability Details

CVEID:CVE-2021-35517
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error when allocating large amounts of memory. By persuading a victim to open a specially-crafted TAR archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compressโ€™ tar package.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205307 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-36090
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By reading a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compressโ€™ zip package.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205310 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Watson Knowledge Catalog on-prem 3.5
IBM Watson Knowledge Catalog on-prem 4.0

Remediation/Fixes

Watson Knowledge Catalog for IBM Cloud Pak for Data 4.0: install Refresh 4 of Cloud Pak for Data Version 4.0: <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.0?topic=overview-whats-new#whats-new__refresh-4&gt;

Watson Knowledge Catalog for IBM Cloud Pak for Data 3.5.1: install Refresh 12 of Cloud Pak for Data Version 3.5: <https://www.ibm.com/docs/en/cloud-paks/cp-data/3.5.0?topic=overview-whats-new#whats-new__refresh-12&gt;

Workarounds and Mitigations

None. WebSphere Liberty must be upgraded.

Affected configurations

Vulners
Node
ibmcloud_pak_for_dataMatch2.5
CPENameOperatorVersion
ibm cloud pak for dataeq2.5

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.014 Low

EPSS

Percentile

86.2%