Security Bulletin: IBM Sterling Global Mailbox is vulnerable to sensitive data exposure due to Apache CXF (CVE-2022-46363)

Summary

A security vulnerability has been identified and addressed in Apache CXF shipped with IBM Sterling Global Mailbox.

Vulnerability Details

CVEID:CVE-2022-46363
**DESCRIPTION:**Apache CXF could allow a remote attacker to obtain sensitive information, caused by a flaw when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. By sending a specially-crafted request, an attacker could exploit this vulnerability to perform directory listing or code exfiltration, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242009 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Product

|

Version

|

Fix / Remediation

—|—|—

IBM Sterling Global Mailbox

|

6.0.3

|

Apply 6.0.3.8

IBM Sterling Global Mailbox

|

6.1.2

| Apply 6.1.2.2

6.0.3.8 is now available on Fix Central -

B2Bi IIM
Fix Central Link:https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.0.3.8-OtherSoftware-B2Bi-All&source=SAR

B2Bi Docker

Fix Central Link: https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.0.3.8-OtherSoftware-B2Bi-Docker-All&source=SAR

SFG IIM

Fix Central Link: https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.0.3.8-OtherSoftware-SFG-All&source=SAR

SFG Docker

Fix Central Link: https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.0.3.8-OtherSoftware-SFG-Docker-All&source=SAR

6.1.2.2 IIM & Certified Container is now available on Fix Central -

B2Bi IIM

Fix Central Link: https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.1.2.2-OtherSoftware-B2Bi-All&source=SAR

JDK for B2Bi

Fix Central Link: https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=8.0.7.15-JavaSE-SDK-B2Bi-6122&source=SAR

SFG IIM

Fix Central Link: https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.1.2.2-OtherSoftware-SFG-All&source=SAR

JDK for SFG

Fix Central Link: https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=8.0.7.15-JavaSE-SDK-sfg-6122&source=SAR

Certified Container

Certified Container edition images and Helm charts are now available for download from IBM Entitled Registry (ER) and IBM public chart repository, respectively.

IBM Sterling B2B Integrator V6.1.2.2

• Certified Container Image** **cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.2
• Helm Chart** **<https://github.com/IBM/charts/blob/master/repo/ibm-helm/ibm-b2bi-prod-2.1.2.tgz&gt;

IBM Sterling File Gateway V6.1.2.2

• Certified Container Image
  cp.icr.io/cp/ibm-sfg/sfg:6.1.2.2
• Helm Chart** **<https://github.com/IBM/charts/blob/master/repo/ibm-helm/ibm-sfg-prod-2.1.2.tgz&gt;

Workarounds and Mitigations

None