Lucene search

K
ibmIBM32389A6BDE175BCDB73F1428D3481487894E1BD82D99F1AD2A2247843AF22DA1
HistoryNov 22, 2022 - 7:56 a.m.

Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to remote code execution due to Apache Commons Text (CVE-2022-42889)

2022-11-2207:56:05
www.ibm.com
175
ibm sterling connect:direct
microsoft windows
apache commons text
cve-2022-42889
remote code execution
upgrade
vulnerability
security bulletin

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.971

Percentile

99.8%

Summary

There is a vulnerability in Apache Commons Text used by IBM Sterling Connect:Direct for Microsoft Windows. IBM Sterling Connect:Direct for Microsoft Windows has addressed the applicable CVE [CVE-2022-42889].

Vulnerability Details

**CVEID:**CVE-2022-42889 DESCRIPTION: Apache Commons Text could allow a remote attacker to execute arbitrary code on the system, caused by an insecure interpolation defaults flaw. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238560 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Sterling Connect:Direct for Microsoft Windows 4.8.0.0 - 4.8.0.3_iFix049
IBM Sterling Connect:Direct for Microsoft Windows 6.0.0.0 - 6.0.0.4_iFix057
IBM Sterling Connect:Direct for Microsoft Windows 6.1.0.0 - 6.1.0.2_iFix051
IBM Sterling Connect:Direct for Microsoft Windows 6.2.0.0 - 6.2.0.4_iFix016

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

Product(s) Version(s) APAR Remediation / Fix
IBM Sterling Connect:Direct for Microsoft Windows 4.8.0.0 - 4.8.0.3_iFix049 IT42066 Apply 4.8.0.3_iFix050, available on Fix Central
IBM Sterling Connect:Direct for Microsoft Windows 6.0.0.0 - 6.0.0.4_iFix057 IT42066 Apply 6.0.0.4_iFix058, available on Fix Central
IBM Sterling Connect:Direct for Microsoft Windows 6.1.0.0 - 6.1.0.2_iFix051 IT42066 Apply 6.1.0.2_iFix052, available on Fix Central
IBM Sterling Connect:Direct for Microsoft Windows 6.2.0.0 - 6.2.0.4_iFix016 IT42066 Apply 6.2.0.4_iFix017, available on Fix Central

For unsupported versions IBM recommends upgrading to a fixed, supported version of the product.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsterling_connect\Matchdirect_for_microsoft_windows4.8
OR
ibmsterling_connect\Matchdirect_for_microsoft_windows6.0
OR
ibmsterling_connect\Matchdirect_for_microsoft_windows6.1
OR
ibmsterling_connect\Matchdirect_for_microsoft_windows6.2
VendorProductVersionCPE
ibmsterling_connect\direct_for_microsoft_windowscpe:2.3:a:ibm:sterling_connect\:direct_for_microsoft_windows:4.8:*:*:*:*:*:*:*
ibmsterling_connect\direct_for_microsoft_windowscpe:2.3:a:ibm:sterling_connect\:direct_for_microsoft_windows:6.0:*:*:*:*:*:*:*
ibmsterling_connect\direct_for_microsoft_windowscpe:2.3:a:ibm:sterling_connect\:direct_for_microsoft_windows:6.1:*:*:*:*:*:*:*
ibmsterling_connect\direct_for_microsoft_windowscpe:2.3:a:ibm:sterling_connect\:direct_for_microsoft_windows:6.2:*:*:*:*:*:*:*

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.971

Percentile

99.8%