Lucene search

K
ibmIBM7E18B438D1C420D8FB4F0763D89974D25E4342FB6DD3A5ED861C0784B3F46C2C
HistorySep 28, 2022 - 11:53 p.m.

Security Bulletin: Vulnerabilities in FasterXML Jackson Databind and Apache Xerces affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments

2022-09-2823:53:06
www.ibm.com
13

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

0.005 Low

EPSS

Percentile

76.6%

Summary

IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments may be affected by the below FasterXML Jackson Databind and Apache Xerces vulnerabilities (CVEs).

Vulnerability Details

CVEID:CVE-2020-25649
**DESCRIPTION:**FasterXML Jackson Databind could provide weaker than expected security, caused by not having entity expansion secured properly. A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192648 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2022-23437
**DESCRIPTION:**Apache Xerces2 Java XML Parser is vulnerable to a denial of service, caused by an infinite loop in the XML parser. By persuading a victim to open a specially-crafted XML document payloads, a remote attacker could exploit this vulnerability to consume system resources for prolonged duration.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217982 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**IBM X-Force ID:**217968
**DESCRIPTION:**FasterXML jackson-databind is vulnerable to a denial of service, caused by an error when using JDK serialization to serialize and deserialize JsonNode values. By sending a specially crafted request, an attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217968 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Spectrum Protect Backup-Archive Client 8.1.0.0-8.1.15.1 (Macintosh and Windows)
8.1.7.0-8.1.15.1 (Linux web user interface only)
8.1.9.0-8.1.15.1 (AIX web user interface only)
IBM Spectrum Protect for Space Management 8.1.7.0-8.1.15.1 (Linux)
8.1.9.0-8.1.15.1 (AIX)
IBM Spectrum Protect for Virtual Environments: Data Protection for VMware 8.1.0.0-8.1.15.1 (Linux and Windows)
IBM Spectrum Protect for Virtual Environments: Data Protection for Hyper-V 8.1.0.0-8.1.15.1 (Windows)

Remediation/Fixes

_IBM Spectrum Protect Backup-Archive Client Affected Versions
_
|Fixing
Level
|Platform|_Link to Fix and Instructions
_

—|—|—|—
8.1.9.0-8.1.15.1 (AIX)
8.1.7.0-8.1.15.1 (Linux)
8.1.0.0-8.1.15.1 (Macintosh)
8.1.0.0-8.1.15.1 (Windows)
| 8.1.15.2| AIX*****
Linux*****
Macintosh
Windows| <https://www.ibm.com/support/pages/node/6593819&gt;

***** The AIX and Linux platforms are only affected if using the web user interface.

_IBM Spectrum Protect for
Space Management Affected Versions
_
|Fixing
Level
|Platform|_Link to Fix and Instructions
_

—|—|—|—
8.1.9.0-8.1.15.1 (AIX)
8.1.7.0-8.1.15.1 (Linux)
| 8.1.15.2| AIX
Linux| ttps://www.ibm.com/support/pages/node/316077

_IBM Spectrum Protect for
Virtual Environments:
Data Protection for VMware
Affected Versions
_
|Fixing
Level
|Platform|_Link to Fix and Instructions
_

—|—|—|—
8.1.0.0-8.1.15.1 (Linux)
8.1.0.0-8.1.15.1 (Windows| 8.1.15.2| Linux
Windows| <https://www.ibm.com/support/pages/node/6568701&gt;

_IBM Spectrum Protect for
Virtual Environments:
Data Protection for Hyper-V Affected Versions
_
|Fixing
Level
|Platform|_Link to Fix and Instructions
_

—|—|—|—
8.1.0.0-8.1.15.1 (Windows)| 8.1.15.2| Windows| <https://www.ibm.com/support/pages/node/6568701&gt;

Workarounds and Mitigations

None

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

0.005 Low

EPSS

Percentile

76.6%