Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Netty HTTP response splitting (CVE-2022-41915)

Summary

Potential security bypass vulnerability in Netty-(CVE-2022-41915) has been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. Refer to details for additional information.

Vulnerability Details

CVEID:CVE-2022-41915
**DESCRIPTION:**Netty is vulnerable to HTTP response splitting attacks, caused by a flaw when calling DefaultHttpHeaders.set with an iterator of values. A remote attacker could exploit this vulnerability to inject arbitrary HTTP/1.1 response header in some form and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242595 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

For all affected versions, IBM strongly recommends addressing the vulnerability now by upgrading to the latest (v4.6.2) release of IBM Watson Assistant for IBM Cloud Pak for Data which maintains backward compatibility with the versions listed above.

Follow instructions for Installing Watson Assistant in Link to Release (v4.6.2 release information)

<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x&gt;

Workarounds and Mitigations

None