Security Bulletin: The Community Edition of IBM ILOG CPLEX Optimization Studio is affected by a vulnerability in libcurl (CVE-2021-22945)

Summary

The Community Edition of IBM ILOG CPLEX Optimization Studio on Windows platform only has addressed the following vulnerability: libcurl is vulnerable to a denial of service.

Vulnerability Details

CVEID:CVE-2021-22945
**DESCRIPTION:**cURL libcurl is vulnerable to a denial of service, caused by a use-after-free and double free flaw when sending data to an MQTT server. By sending a specially-crafted data, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209451 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM ILOG CPLEX Optimization Studio (COS)| 12.10
IBM ILOG CPLEX Optimization Studio (COS)| 12.9

IBM ILOG CPLEX Optimization Studio (COS)| 12.8

Remediation/Fixes

Please replace the initial DLL version with the fixed version 7.79.1 available on Fix Central.
MD checksum: 343C94A75FD43F7F04CDE8A079C58E67

How to upgrade:

• locate the CPLEX binaries directory: %CPLEX_STUDIO_DIR%/cplex/bin/x64_win64 where %CPLEX_STUDIO_DIR% is the location where your CPLEX is installed.
• download the new libcurl.dll
• copy libcurl.dll to your CPLEX binaries directory (you might need administrative rights).

Workarounds and Mitigations

There is no workaround or mitigation