Lucene search

IBM8D456C455801C32B98A3BE423730DD5A2717AD7F9EEE7DA3EBBE211286D3082E

HistoryMar 02, 2023 - 8:50 p.m.

Security Bulletin: There are multiple vulnerabilities in Node.js used by IBM Maximo Asset Management (CVE-2022-21681, CVE-2022-21680)

2023-03-0220:50:22

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.003 Low

EPSS

Percentile

67.3%

JSON

Summary

There are multiple vulnerabilities in Node.js used by IBM Maximo Asset Management.

Vulnerability Details

CVEID:CVE-2022-21681
**DESCRIPTION:**Node.js marked module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in inline.reflinkSearch. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217320 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-21680
**DESCRIPTION:**Node.js marked module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in block.def. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217319 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

This vulnerability affects the following versions of the IBM Maximo Asset Management core product. The recommended action is to update to the latest version.

Product versions affected:

Affected Product(s)	Version(s)
IBM Maximo Asset Management	7.6.1.2
IBM Maximo Asset Management	7.6.1.3

To determine the core product version, log in and view System Information. The core product version is the “Tivoli’s process automation engine” version. Please consult the Platform Matrix for a list of supported product combinations.

Remediation/Fixes

The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central (What is Fix Central?) and apply for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. Follow the installation instructions in the ‘readme’ documentation provided with each fix pack or interim fix.

For Maximo Asset Management 7.6:

VRM	Fix Pack, Feature Pack, or Interim Fix	Download
7.6.1.2	Maximo Asset Management 7.6.1.2 iFix:
7.6.1.2-TIV-MBS-IF029 or latest Interim Fix available	FixCentral
7.6.1.3

Maximo Asset Management 7.6.1.3 iFix:

7.6.1.3-TIV-MBS-IF004 or latest Interim Fix available

FixCentral

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm maximo asset managementeq7.6.1
maximo for oil and gaseq7.6.1
maximo for transportationeq7.6.2.5
maximo for transportationeq7.6.2.4
maximo for transportationeq7.6.2.3
ibm maximo for aviationeq7.6.8
ibm maximo for aviationeq7.6.7
ibm maximo for aviationeq7.6.6
maximo for life scienceseq7.6
maximo for utilitieseq7.6.0.2

Name	Operator	Version
ibm maximo asset management	eq	7.6.1
maximo for oil and gas	eq	7.6.1
maximo for transportation	eq	7.6.2.5
maximo for transportation	eq	7.6.2.4
maximo for transportation	eq	7.6.2.3
ibm maximo for aviation	eq	7.6.8
ibm maximo for aviation	eq	7.6.7
ibm maximo for aviation	eq	7.6.6
maximo for life sciences	eq	7.6
maximo for utilities	eq	7.6.0.2