IBM71E33CEC9CC6FECB7854DFBE46596F221624A1288A2A8D56D38109887FC10D51Security Bulletin: IBM Jazz for Service Management is vulnerable to All XStream (Publicly disclosed vulnerability) (CVE-2022-41966)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.005 Low
EPSS
Percentile
75.1%
Summary
IBM Jazz for Service Management is vulnerable to to All XStream (Publicly disclosed vulnerability) . XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. This has bundled with activemq-all-5.16.4 jar.
Vulnerability Details
CVEID:CVE-2022-41966
**DESCRIPTION:**XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow. By manipulating the processed input stream at unmarshalling time, a remote attacker could exploit this vulnerability to replace or inject objects and cause a denial of service.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/243448 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| Jazz for Service Management | 1.1.3 |
Remediation/Fixes
| Affected JazzSM Version | Recommended Fix. |
|---|---|
| Jazz for Service Management versions 1.1.3.* |
The vulnerable Xstream package need to be removed from activemq-all-5.16.4.jar.
Follow the give steps to remove xstream package,
1. Backup the existing activemq-all-xxx.jar located under <JazzSM_HOME>/profile/installedApps/JazzSMNode01Cell/isc.ear/
2. Remove following files and folder with respect to xstream package from activemq-all-5.16.4.jar
- com.sun.istack.XMLStreamReaderToContentHandler.class
- com.sun.xml.bind.v2.runtime.output.StAXExStreamWriterOutput.class
- com.sun.xml.bind.v2.runtime.output.XMLStreamWriterOutput.class
- com.sun.xml.bind.v2.runtime .unmarshaller.StAXExConnector.class
- com.sun.xml.bind.v2.runtime.unmarshaller.StAXStreamConnector.class
- com.sun.xml.bind.v2.runtime.unmarshaller.StAXStreamConnector$1.class
- com.sun.xml.bind.v2.runtime.unmarshaller. UnmarshallerImpl.class
- org.apache.activemq.plugin.SubQueueSelectorCacheBroker$SubSelectorClassObjectInputStream.class
- org.apache.activemq.store.kahadb.MessageDatabase$MessageDatabaseObjectInputStream.class
- org.apache.activemq .transport.http.HttpTransportFactory.class
- org.apache.activemq.transport.http.HttpTransportServer.class
- org.apache.activemq.transport.http.HttpTunnelServlet.class
- org.apache.activemq.transport.stomp.JmsFrameTranslator.class
- org.apache.activemq.transport.stomp.JmsFrameTranslator$1.class
- org.apache.activemq.util.ClassLoadingAwareObjectInputStream.class
- org.apache.activemq.util.XStreamSupport.class
- org.apache.camel.builder.DataFormatClause.class
- org.apache.camel.model
3. Rezip it and restart server
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| jazz for service management | eq | 1.1.3 |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.005 Low
EPSS
Percentile
75.1%