Security Bulletin: IBM Storage Protect Client and IBM Storage Protect for Space Management are vulnerable to denial of service due to CVEs in XStream (woodstox) (CVE-2022-40151, CVE-2022-40152)

Summary

IBM Storage Protect Client and IBM Storage Protect for Space Management can be affected by security flaws in XStream (woodstox). The flaws can lead to denial of service, as described in the “Vulnerability Details” section.

Vulnerability Details

CVEID:CVE-2022-40152
**DESCRIPTION:**XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted XML data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236355 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-40151
**DESCRIPTION:**XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted XML data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236354 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerabilities now by upgrading.

Product|**Fixing level
**|Platforms|Link to fix and instructions
—|—|—|—
IBM Storage Protect Backup-Archive Client| 8.1.20.0|

AIX

HP-UX

Linux

Macintosh

Solaris

Windows

| <https://www.ibm.com/support/pages/node/7015829&gt;
IBM Storage Protect for Space Management| 8.1.20.0|

AIX

Linux

| <https://www.ibm.com/support/pages/node/7015827&gt;

Workarounds and Mitigations

None