9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.4 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
65.8%
IBM Operations Analytics Predictive Insights uses BM® SDK, Java™ Technology Edition, and vulnerability CVE-2022-40609 may expose Java process to a variety of malicious attacks
CVEID:CVE-2022-40609
**DESCRIPTION:**IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 236069.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236069 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Operations Analytics Predictive Insights | 1.3.5 |
IBM Operations Analytics Predictive Insights | 1.3.6 |
Step One: If not applied already, apply 1.3.6 Interim Fix 6, then apply 1.3.6 Interim Fix 7
Note: iFix6 is a requirement for the application of iFix7.
Both iFix6 and iFix7 can be found in FixCentral: https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/IBM+SmartCloud+Analytics±+Predictive+Insights&release=1.3.6
_Step Two: Java 8.0.8.5 Installation Instructions _
As the user that installed the Predictive Insights UI component, e.g. scadmin
1. Download ibm-java-x86_64-sdk-8.0-8.5.bin (161.93 MB) file from Fix Central: Java 8.0.8.5(Service Refresh 8 Fix Pack 5 for IBM SDKs for Java Technology version 8.0, for Linux 64-bit,x86_64 )
2. As the user that installed the Predictive Insights UI, stop the UI server used by IBM Operations Analytics Predictive Insights
<UI_HOME>/bin/pi.sh -stop
where UI_HOME is typically /opt/IBM/scanalytics/UI
3. cd <UI_HOME>
4. Rename JAVA SDK installation folder
mv ibm-java-x86_64-80 ibm-java-x86_64-80_orig
5. As the root user, or a user with sudo access, run the ibm-java-x86_64-sdk-8.0-8.5.bin to install the SDK into the <UI_HOME> folder.
When prompted for “Where would you like to install?”, supply the full path <UI_HOME>/ibm-java-x86_64-80
This will create a new ibm-java-x86_64-80 folder in <UI_HOME>
6. If necessary, change the ownership of the newly installed SDK
e.g. chown -R scadmin:scadmin /opt/IBM/scanalytics/UI/ibm-java*
7. As the user that installed the Predictive Insights UI, start the UI server
<UI_HOME>/bin/pi.sh -start
Remove Update Instructions ( if you want to revert the Java 8.0.8.5 installation)
As the user that installed the Predictive Insights UI component, e.g. scadmin
1. As the user that installed the Predictive Insights UI, stop the UI server used by IBM Operations Analytics Predictive Insights
<UI_HOME>/bin/pi.sh -stop
2. As the root user, or a user with sudo access, run the ibm-java-x86_64-sdk-8.0-8.5.bin and follow the prompts to uninstall the Java that was installed to <UI_HOME>
3. As the user that installed the Predictive Insights UI, replace the JAVA SDK installation folder with the original
mv ibm-java-x86_64-80_orig ibm-java-x86_64-80
4. As the user that installed the Predictive Insights UI, start UI server
<UI_HOME>/bin/pi.sh -start
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm operations analytics predictive insights | eq | 1.3.5 | |
ibm operations analytics predictive insights | eq | 1.3.6 |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.4 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
65.8%