Security Bulletin: The IBM® Engineering Lifecycle Engineering product is affected as Java deserialization filters (JEP 290) ignored during IBM ORB deserialization (CVE-2022-40609)

Summary

The IBM® Engineering Lifecycle Engineering product is as IBM ORB does not honour JEP 290 deserialization filters when deserializing serialised object data. This exposes the Java process to a variety of attacks ranging from denial of service to remote code execution via “gadgets” in third party components. The fix ensures that the ORB deserializer respects JEP 290 deserialization filters. Following IBM® Engineering Lifecycle Engineering products are vulnerable to this attack, it has been addressed in this bulletin: IBM Engineering Test Management, IBM Engineering Requirements Management DOORS Next, IBM Jazz Reporting Service, IBM Engineering Lifecycle Optimization - Engineering Insights, IBM Engineering Lifecycle Optimization - Publishing

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Remediation/Fixes

If any of the mentioned affected product is deployed on one of the above versions, Please follow the instruction given in the following article.

Link: <https://www.ibm.com/support/pages/node/7017032&gt;

How to update the IBM SDK for Java of Engineering Lifecycle Management products? Please refer below article for more details.

<https://www.ibm.com/support/pages/how-update-ibm-sdk-java-engineering-lifecycle-management-products&gt;

Affected Releases
-----------------
7.1.5.18 and earlier
8.0.8.0 and earlier

Fixed Releases
--------------
7.1.5.19 and later (access restricted to products with an extended support agreement in place with IBM Runtimes)
8.0.8.5 and later

Workarounds and Mitigations

None