Lucene search

IBM471BEEF44DE6C27461378C7D110744F38E295FB10C4A50D100750E5E0D7941A0

HistoryDec 30, 2022 - 5:31 p.m.

Security Bulletin: IBM Tivoli Monitoring is affected but not classified as vulnerable by a denial of service in Spring Framework (CVE-2022-22950)

2022-12-3017:31:59

www.ibm.com

ibm tivoli monitoring

spring framework

denial of service

cve-2022-22950

fix

remote code execution

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

35.1%

JSON

Summary

IBM Tivoli Monitoring is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22950). The Tivoli Enterprise Portal Server (CQ) component includes but does not use it. The fix removes Spring from the product.

Vulnerability Details

CVEID:CVE-2022-22950
**DESCRIPTION:**VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223096 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Tivoli Monitoring	6.3.0 - 6.3.0.7 (up to 6.3.0.7 Service pack 10)

Remediation/Fixes

Fix Name	VRMF	Remediation/Fix Download
6.3.0.7-TIV-ITM-SP0012	6.3.0.7 Fix Pack 7 Service Pack 12	<https://www.ibm.com/support/pages/ibm-tivoli-monitoring-630-fix-pack-7-service-pack-12-6307-tiv-itm-sp0012>
The fix requires the system is at 630 Fix pack 7 or later as a prerequisite.

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmtivoli_monitoringMatch6.3.0.7

CPENameOperatorVersion
tivoli monitoringeq6.3.0.7

CPE	Name	Operator	Version
	tivoli monitoring	eq	6.3.0.7

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

35.1%

JSON

Related for 471BEEF44DE6C27461378C7D110744F38E295FB10C4A50D100750E5E0D7941A0