This fix upgrades to socket.io 4.5.4, protobuf-java 3.21.9 and nodejs 14.21.1.
CVEID:CVE-2022-41940
**DESCRIPTION:**Socket.IO Engine.IO is vulnerable to a denial of service, caused by an uncaught exception flaw. By sending a specially-crafted HTTP request, a remote authenticated attacker could exploit this vulnerability to cause the Node.js process to crash, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240852 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-3510
**DESCRIPTION:**protobuf-java core and lite are vulnerable to a denial of service, caused by a flaw in the parsing procedure for Message-Type Extensions. By sending non-repeated embedded messages with repeated or unknown fields, a remote authenticated attacker could exploit this vulnerability to cause long garbage collection pauses.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239916 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-43548
**DESCRIPTION:**Node.js could allow a remote attacker to execute arbitrary code on the system. The rebinding protector for --inspect still allows invalid IP address, specifically, the octal format. By combining with an active --inspect session, an attacker could exploit this vulnerability to perform DNS rebinding and execute arbitrary code on the system.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241552 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2022-2421
**DESCRIPTION:**Node.js socket.io module is vulnerable to SQL injection, caused by improper type validation in the socket.io-parser library. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239554 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVEID:CVE-2022-3509
**DESCRIPTION:**protobuf-java core and lite are vulnerable to a denial of service, caused by a flaw in the parsing procedure for textformat data. By sending non-repeated embedded messages with repeated or unknown fields, a remote authenticated attacker could exploit this vulnerability to cause long garbage collection pauses.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239915 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
ICP - IBM Answer Retrieval for Watson Discovery | All |
ICP - IBM Answer Retrieval for Watson Discovery | All |
ICP - IBM Answer Retrieval for Watson Discovery | All |
ICP - IBM Answer Retrieval for Watson Discovery | All |
ICP - IBM Answer Retrieval for Watson Discovery | All |
IBM strongly recommends addressing the vulnerability now.
Product(s) | **Version(s) number and/or range ** | Remediation/Fix/Instructions |
---|---|---|
IBM Answer Retrieval for Watson Discovery | < 2.10.0 | Download and install v2.10.0 |
Follow instructions in the downloaded package. |
N/A
CPE | Name | Operator | Version |
---|---|---|---|
answer retrieval for watson discovery on prem | eq | 2.7.0 |