Security Bulletin: A VMWare Tanzu Spring Vulerability Affects IBM OpenPages with Watson (CVE-2022-22950)

Summary

There is a vulnerability in the Spring Framework open source library used by IBM OpenPages with Watson. This affects the IBM OpenPages application server. This vulnerability has been addressed.

Vulnerability Details

CVEID:CVE-2022-22950
**DESCRIPTION:**VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223096 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L)

Affected Products and Versions

IBM OpenPages with Watson

|

8.3, 8.2

Remediation/Fixes

A fix has been created for each affected version of the named product. Download and install the fix as soon as possible. Fixes and installation instructions are provided at the URLs listed below:

For IBM OpenPages with Watson 8.3

- Apply 8.3 Fix Pack 2 (8.3.0.2) or later

|

<https://www.ibm.com/support/pages/openpages-watson-83-fix-pack-2&gt;

For IBM OpenPages with Watson 8.2

- Upgrade to 8.2 Fix Pack 4 (8.2.0.4)

- Apply Interim Fix 7 (8.2.0.4.7) or later

Or

- Upgrade to 8.2 Fix Pack 5 (8.2.0.5)

|

IBM recommends to use the latest Interim Fix (IF) or Fix Pack. Here is the link for more information:

<https://www.ibm.com/support/pages/openpages-watson-82-fix-list&gt;

For IBM OpenPages with Watson 8.0/8.1 customers, IBM recommends to upgrade to a fixed and supported versions 8.2, 8.3 or9.0 of the product.

Workarounds and Mitigations

None