Security Bulletin: IBM i Access Client Solutions is vulnerable to DLL hijacking when run on a Windows operating system (CVE-2022-40746)

Summary

IBM i Access Client Solutions is vulnerable to DLL hijacking when certain features are run on a Windows operating system that leverage native code. IBM has addressed this CVE by providing a fix to IBM i Access Client Solutions as described in the remediation/fixes section.

Vulnerability Details

CVEID:CVE-2022-40746
**DESCRIPTION:**IBM i Access Family could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability. By placing a specially crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236581 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

The issue can be fixed by upgrading to version 1.1.9.1 or later. See IBM i Access Client Solutions updates for the latest version available.

The current version of IBM i Access Client Solutions is available at Downloads.

Or you may download it from the general IBM i software site at
Entitled Systems Support (ESS).

Workarounds and Mitigations

None