Lucene search

IBM6A4492C77D76D45C18DE41A0B0E582833DA0ACD1AF66501BBBD3A4ECE9AFE3D9

HistoryApr 07, 2022 - 3:42 a.m.

Security Bulletin: Vulnerability in json4j - CVE-2021-3918 (Publicly disclosed vulnerability) impacts IBM Watson Machine Learning Accelerator

2022-04-0703:42:58

www.ibm.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

72.8%

JSON

Summary

Json4j is used IBM Watson Machine Learning Accelerator. This bulletin provides mitigations for the addressable vulnerability (CVE-2021-3918) by upgrading addressable to latest version.

Vulnerability Details

CVEID:CVE-2021-3918
**DESCRIPTION:**Json-schema could allow a remote attacker to execute arbitrary code on the system, caused by an improperly controlled modification of object prototype attributes. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/213750 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Watson Machine Learning Accelerator	2.2.0;2.2.1;2.2.2;2.2.3; 2.3.0;2.3.1;2.3.2;2.3.3;2.3.4;2.3.5

Remediation/Fixes

Affected Product(s)	Version(s)	Remediation
IBM Watson Machine Learning Accelerator	2.2.0;2.2.1;2.2.2;2.2.3	To address the vulnerability upgrade to IBM Watson Machine Learning Accelerator 2.3.1: <https://www.ibm.com/docs/en/cloud-paks/cp-data/3.5.0?topic=accelerator-upgrading-watson-machine-learning>
And then upgrade to 2.3.6 all the way.
IBM Watson Machine Learning Accelerator	2.3.0; 2.3.1; 2.3.2; 2.3.3; 2.3.4; 2.3.5	To address the vulnerability upgrade to IBM Watson Machine Learning Accelerator 2.3.6: <https://www.ibm.com/docs/en/wmla/2.3?topic=installation-install-upgrade>

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm watson machine learning acceleratoreq2.2.
ibm watson machine learning acceleratoreq2.3.

CPE	Name	Operator	Version
	ibm watson machine learning accelerator	eq	2.2.
	ibm watson machine learning accelerator	eq	2.3.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

72.8%

JSON

Related for 6A4492C77D76D45C18DE41A0B0E582833DA0ACD1AF66501BBBD3A4ECE9AFE3D9