Lucene search

K
ibmIBM7E8878DEF40BCD844F1A0CFB1DC598DDDA8F2EE236AEE3F6D273EE39BEDD2180
HistoryJul 21, 2023 - 12:39 p.m.

Security Bulletin: IBM Sterling Global Mailbox is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003)

2023-07-2112:39:37
www.ibm.com
28
ibm sterling global mailbox
denial of service
fasterxml jackson-databind
cve-2022-42003
vulnerability
patch
fix
ibm sterling b2b integrator
ibm sterling file gateway

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.003

Percentile

65.3%

Summary

Security vulnerability have been Identified and addressed in FasterXML jackson-databind library shipped with IBM Sterling Global Mailbox.

Vulnerability Details

CVEID:CVE-2022-42003
**DESCRIPTION:**FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in the primitive value deserializers when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. By sending a specially-crafted request using deep wrapper array nesting, a local attacker could exploit this vulnerability to exhaust all available resources.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237662 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Sterling Global Mailbox 6.0.3.7
IBM Sterling Global Mailbox 6.1.2.0

Remediation/Fixes

Refer to the following security bulletins for vulnerability details and information about fixes addressed by Jackson Databind which is shipped with Global Mailbox.

Product

|

Version

|

Fix / Remediation

—|—|—

IBM Sterling Global Mailbox

|

6.0.3.7

|

Apply 6.0.3.8

IBM Sterling Global Mailbox

|

6.1.2.0

|

Apply 6.1.2.1

6.0.3.8 is now available on Fix Central -

B2Bi IIM
Fix Central Link: https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.0.3.8-OtherSoftware-B2Bi-All&source=SAR

B2Bi Docker

Fix Central Link: https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.0.3.8-OtherSoftware-B2Bi-Docker-All&source=SAR

SFG IIM

Fix Central Link: https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.0.3.8-OtherSoftware-SFG-All&source=SAR

SFG Docker

Fix Central Link: https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.0.3.8-OtherSoftware-SFG-Docker-All&source=SAR

6.1.2.1 IIM & Certified Container is now available on Fix Central -

Sterling B2B Integrator

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+B2B+Integrator&release=6.1.2.0&platform=All&function=fixId&fixids=6.1.2.1-OtherSoftware-B2Bi-All+&includeSupersedes=0

Sterling File Gateway

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+File+Gateway&release=6.1.2.0&platform=All&function=fixId&fixids=6.1.2.1-OtherSoftware-SFG-All+&includeSupersedes=0

Certified Container

Certified Container edition images and Helm charts are now available for download from IBM Entitled Registry (ER) and IBM public chart repository, respectively.

IBM Sterling B2B Integrator V6.1.2.1

  • Certified Container Image

cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.1

  • Helm Chart

<https://github.com/IBM/charts/blob/master/repo/ibm-helm/ibm-b2bi-prod-2.1.1.tgz&gt;

IBM Sterling File Gateway V6.1.2.1

  • Certified Container Image

cp.icr.io/cp/ibm-sfg/sfg:6.1.2.1

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmhigh_availability_cluster_multiprocessingMatch6.0.2

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.003

Percentile

65.3%