Security Bulletin: Watson Machine Learning Accelerator is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22971)

Summary

Watson Machine Learning Accelerator is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22971) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. WMLA uses spring framework to manage java application’s dependency injection, events, resources, i18n, validation, data binding, type conversion, SpEL, AOP. The fix includes Spring 5.3.20.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Remediation/Fixes

1. For Watson Machine Learning Accelerator version 2.2.x

To address the affected version, upgrade to IBM Watson Machine Learning Accelerator 2.2.5 by following the document <https://www.ibm.com/docs/en/cloud-paks/cp-data/3.5.0?topic=accelerator-upgrading-watson-machine-learning&gt;

2. For Watson Machine Learning Accelerator version 2.3.x

To address the affected version, upgrade to IBM Watson Machine Learning Accelerator 2.3.5 by following the document <https://www.ibm.com/docs/en/wmla/2.3?topic=installation-install-upgrade&gt;
Then follow <https://ibmdocs-test.mybluemix.net/docs/en/cloud-paks/cp-data/4.5.x?topic=accelerator-upgrading&gt; to upgrade from WMLA 2.3.5 to WMLA 2.4.0

Workarounds and Mitigations

None