Security Bulletin: IBM Sterling B2B Integrator EBICs client affected by multiple issues due to Jettison

Summary

IBM Sterling B2B Integrator uses Jettison in its EBICs client.

Vulnerability Details

CVEID:CVE-2023-1436
**DESCRIPTION:**Jettison is vulnerable to a denial of service, caused by an infinite recursion when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250490 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-45685
**DESCRIPTION:**Jettison is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending an overly long string using JSON data, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242596 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-45693
**DESCRIPTION:**Jettison is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242274 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-40149
**DESCRIPTION:**jettison-json Jettison is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted XML or JSON data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236352 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-40150
**DESCRIPTION:**jettison-json Jettison is vulnerable to a denial of service, caused by an out of memory flaw. By sending a specially-crafted XML or JSON data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

The IIM versions of 6.0.3.9, 6.1.0.8, 6.1.1.4, and 6.1.2.3 are available on Fix Central. The IIM version of 6.2.0.0 is available on Passport Advantage

The container version of 6.1.1.4, 6.1.2.3 and 6.2.0.0 are available in IBM Entitled Registry.

Workarounds and Mitigations

None