9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
70.1%
The IBM® Engineering Lifecycle Engineering product is as IBM ORB does not honour JEP 290 deserialization filters when deserializing serialised object data. This exposes the Java process to a variety of attacks ranging from denial of service to remote code execution via “gadgets” in third party components. The fix ensures that the ORB deserializer respects JEP 290 deserialization filters. Following IBM® Engineering Lifecycle Engineering products are vulnerable to this attack, it has been addressed in this bulletin: IBM Engineering Test Management, IBM Engineering Requirements Management DOORS Next, IBM Jazz Reporting Service, IBM Engineering Lifecycle Optimization - Engineering Insights, IBM Engineering Lifecycle Optimization - Publishing
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Product(s) | Version(s) |
---|---|
IBM Engineering Test Management | 7.0.1 |
IBM Engineering Lifecycle Optimization - Publishing | |
IBM Jazz Reporting Service | |
IBM Engineering Requirements Management DOORS Next | |
IBM Engineering Lifecycle Optimization - Engineering Insights | |
IBM Engineering Test Management | 7.0.2 |
IBM Engineering Lifecycle Optimization - Publishing | |
IBM Jazz Reporting Service | |
IBM Engineering Requirements Management DOORS Next | |
IBM Engineering Lifecycle Optimization - Engineering Insights |
If any of the mentioned affected product is deployed on one of the above versions, Please follow the instruction given in the following article.
Link: <https://www.ibm.com/support/pages/node/7017032>
How to update the IBM SDK for Java of Engineering Lifecycle Management products? Please refer below article for more details.
Affected Releases
-----------------
7.1.5.18 and earlier
8.0.8.0 and earlier
Fixed Releases
--------------
7.1.5.19 and later (access restricted to products with an extended support agreement in place with IBM Runtimes)
8.0.8.5 and later
None
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
70.1%