Security Bulletin: Vulnerabilities in Spring Framework affects IBM Common Licensing's Administration And Reporting Tool (ART) and its Agent (CVE-2022-22978, 220811)

Summary

Security Vulnerablities have been addressed in IBM Common Licensing. In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. A fix is available to address the vulnerability.

Vulnerability Details

CVEID:CVE-2022-22978
**DESCRIPTION:**Spring Security could allow a remote attacker to bypass security restrictions, caused by a flaw in the RegexRequestMatcher component. By misconfiguring RegexRequestMatcher with . in the regular expression, an attacker could exploit this vulnerability to bypass authorization and obtain access.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226989 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)

**IBM X-Force ID:**220811
**DESCRIPTION:**Spring Security could allow a remote attacker to obtain sensitive information, caused by a breach attack vulnerability. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain CSRF tokens, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220811 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading and applying the suggested fix that uses upgraded version of FasterXML.

Apply IBM_LKS_Administration_And_Reporting_Tool_And_Agent_90_iFix6 from Fix Central.

Workarounds and Mitigations

None