Security Bulletin: IBM Sterling Connect:Direct Browser User Interface vulnerable to remote code execution due to IBM Java (CVE-2022-40609)

2023-09-0315:46:15

www.ibm.com

ibm sterling connect:direct

browser interface

remote code execution

cve-2022-40609

update

1.5.0.2.ifix38

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.006

Percentile

78.0%

JSON

Summary

IBM Sterling Connect:Direct Browser User Interface uses IBM® Runtime Environment Java™ Versions 8.0 which has a remote code execution vulnerability. IBM Sterling Connect:Direct Browser User Interface has addressed the applicable CVE.

Vulnerability Details

CVEID:CVE-2022-40609
**DESCRIPTION:**IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 236069.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236069 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Sterling Connect Direct Browser User Interface	1.5.0.2
IBM Sterling Connect Direct Browser User Interface	1.4.1.1

Remediation/Fixes

Apply 1.5.0.2.iFix38, available on Fix Central

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmibm_sterling_connect\Matchdirect_browser_user_interface1.5.0.2

VendorProductVersionCPE
ibmibm_sterling_connect\direct_browser_user_interfacecpe:2.3:a:ibm:ibm_sterling_connect\:direct_browser_user_interface:1.5.0.2:*:*:*:*:*:*:*