Lucene search

IBM624EC50571DDA528048438572DF31F565C12E5D78AC4A7054EB0C733BB3DA3C4

HistoryMar 31, 2022 - 10:43 p.m.

Security Bulletin: IBM Urbancode Deploy impacted by Apache Log4j SQL Injection vulnerability. (CVE-2022-23305)

2022-03-3122:43:41

www.ibm.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

75.9%

JSON

Summary

When added to the logging configuration, the Log4j JDBCAppender may not be properly encoding content sent to an external SQL database. This is a non-default configuration. The fix removes this component.

Vulnerability Details

CVEID:CVE-2022-23305
**DESCRIPTION:**Apache Log4j is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the JDBCAppender, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217461 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
UCD - IBM UrbanCode Deploy	6.2.7.3
UCD - IBM UrbanCode Deploy	6.2.7.4
UCD - IBM UrbanCode Deploy	6.2.7.5
UCD - IBM UrbanCode Deploy	6.2.7.6
UCD - IBM UrbanCode Deploy	6.2.7.7
UCD - IBM UrbanCode Deploy	6.2.7.8
UCD - IBM UrbanCode Deploy	6.2.7.9
UCD - IBM UrbanCode Deploy	6.2.7.10
UCD - IBM UrbanCode Deploy	6.2.7.11
UCD - IBM UrbanCode Deploy	6.2.7.12
UCD - IBM UrbanCode Deploy	6.2.7.13
UCD - IBM UrbanCode Deploy	7.0.3.0
UCD - IBM UrbanCode Deploy	7.0.3.1
UCD - IBM UrbanCode Deploy	7.0.3.2
UCD - IBM UrbanCode Deploy	7.0.3.3
UCD - IBM UrbanCode Deploy	7.0.4.0
UCD - IBM UrbanCode Deploy	7.0.4.1
UCD - IBM UrbanCode Deploy	7.0.4.2
UCD - IBM UrbanCode Deploy	7.0.5.0
UCD - IBM UrbanCode Deploy	7.0.5.1
UCD - IBM UrbanCode Deploy	7.0.5.2
UCD - IBM UrbanCode Deploy	7.0.5.3
UCD - IBM UrbanCode Deploy	7.0.5.4
UCD - IBM UrbanCode Deploy	7.0.5.5
UCD - IBM UrbanCode Deploy	7.0.5.6
UCD - IBM UrbanCode Deploy	7.0.5.7
UCD - IBM UrbanCode Deploy	7.0.5.8
UCD - IBM UrbanCode Deploy	7.1.0.0
UCD - IBM UrbanCode Deploy	7.1.0.1
UCD - IBM UrbanCode Deploy	7.1.0.2
UCD - IBM UrbanCode Deploy	7.1.1.0
UCD - IBM UrbanCode Deploy	7.1.1.1
UCD - IBM UrbanCode Deploy	7.1.1.2
UCD - IBM UrbanCode Deploy	7.1.2.1
UCD - IBM UrbanCode Deploy	7.1.2.2
UCD - IBM UrbanCode Deploy	7.1.2.3
UCD - IBM UrbanCode Deploy	7.1.2.4
UCD - IBM UrbanCode Deploy	7.2.0.0
UCD - IBM UrbanCode Deploy	7.2.0.1
UCD - IBM UrbanCode Deploy	7.2.0.2
UCD - IBM UrbanCode Deploy	7.2.1.0
UCD - IBM UrbanCode Deploy	7.2.1.1
UCD - IBM UrbanCode Deploy	7.2.1.2

Remediation/Fixes

Upgrade to 6.2.7.14, 7.0.5.9, 7.1.2.5, or 7.2.2.0

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm urbancode deployeq7.2.2.0

CPE	Name	Operator	Version
	ibm urbancode deploy	eq	7.2.2.0

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

75.9%

JSON

Related for 624EC50571DDA528048438572DF31F565C12E5D78AC4A7054EB0C733BB3DA3C4