Security Bulletin: Multiple VMWare Tanzu Spring Vulerabilities Affects IBM OpenPages with Watson (CVE-2022-22968, CVE-2022-22970, CVE-2022-22971)

Summary

Spring Framework open source library is used by IBM OpenPages with Watson. Multiple vulnerabilties are being disclosed from Spring Framework within this bulletin. These vulnerabilities are addressed.

Vulnerability Details

CVEID:CVE-2022-22968
**DESCRIPTION:**Spring Framework could provide weaker than expected security, caused by a data binding rules vulnerability in which the patterns for disallowedFields on a DataBinder are case sensitive. The case sensitivity allows that a field is insufficiently protected unless it is listed with both upper and lower case for the first character of the field. An attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224374 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2022-22970
**DESCRIPTION:**Vmware Tanzu Spring Framework is vulnerable to a denial of service, caused by a flaw in the handling of file uploads. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226491 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-22971
**DESCRIPTION:**Vmware Tanzu Spring Framework is vulnerable to a denial of service, caused by a flaw with a STOMP over WebSocket endpoint. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226492 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM OpenPages with Watson

|

8.3, 8.2

Remediation/Fixes

A fix has been created for each affected version of the named product. Download and install the fix as soon as possible. Fixes and installation instructions are provided at the URLs listed below:

For IBM OpenPages with Watson 8.3

- Apply 8.3 Fix Pack 2 (8.3.0.2) or later

|

<https://www.ibm.com/support/pages/openpages-watson-83-fix-pack-2&gt;

For IBM OpenPages with Watson 8.2

- Upgrade to 8.2 Fix Pack 4 (8.2.0.4)

- Apply Interim Fix 7 (8.2.0.4.7) or later

Or

- Upgrade to 8.2 Fix Pack 5 (8.2.0.5)

|

IBM recommends to use the latest Interim Fix (IF) or Fix Pack. Here is the link for more information:

<https://www.ibm.com/support/pages/openpages-watson-82-fix-list&gt;

For IBM OpenPages with Watson 8.0/8.1 customers, IBM recommends to upgrade to a fixed and supported versions 8.2, 8.3 or9.0 of the product.

Workarounds and Mitigations

None