logo
DATABASE RESOURCES PRICING ABOUT US

Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities including remote code execution in Apache Log4j 1.x

Description

## Summary IBM Data Risk Manager (IDRM) 2.0.6.13, which is the only supported version, is impacted by multiple vulnerabilities including Apache Log4j 1.x (CVE-2019-17571, CVE-2022-23305, CVE-2022-23307, CVE-2022-23302, CVE-2021-4104, CVE-2020-9488, CVE-2020-9493) which was bundled within hadoop-client 3.3.2. The vulnerabilities have been addressed in the updated version of IDRM 2.0.6.14 which includes hadoop-client 3.3.3 and internally it packages latest Apache Log4j 2.x. Please see the remediation steps below to apply the fix. All customers are encouraged to act quickly to update their systems. ## Vulnerability Details ** CVEID: **[CVE-2022-1552](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1552>) ** DESCRIPTION: **PostgreSQL remote authenticated attacker to bypass security restrictions, caused by an issue with not activate protection or too late with the Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary SQL functions under a superuser identity. CVSS Base score: 8.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/226521](<https://exchange.xforce.ibmcloud.com/vulnerabilities/226521>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2022-22969](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22969>) ** DESCRIPTION: **Spring Security OAuth is vulnerable to a denial of service, caused by initiation of the Authorization Request in an OAuth 2.0 Client application. By sending multiple specially-crafted requests, a remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224974](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224974>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2022-21496](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21496>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224777](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224777>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2022-21434](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21434>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224718](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224718>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2022-21443](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21443>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224726](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224726>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2022-22971](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22971>) ** DESCRIPTION: **Vmware Tanzu Spring Framework is vulnerable to a denial of service, caused by a flaw with a STOMP over WebSocket endpoint. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 6.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/226492](<https://exchange.xforce.ibmcloud.com/vulnerabilities/226492>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2021-45346](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45346>) ** DESCRIPTION: **SQLite could allow a local authenticated attacker to obtain sensitive information, caused by a memory leak. By sending a specially-crafted SQL query via editing the database file, an attacker could exploit this vulnerability to obtain sensitive information from subsequent bytes of the queried record from memory. CVSS Base score: 3.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/219912](<https://exchange.xforce.ibmcloud.com/vulnerabilities/219912>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2022-24785](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24785>) ** DESCRIPTION: **Moment.js could allow a remote attacker to traverse directories on the system, caused by improper validation of user supplied input. An attacker could send a specially-crafted locale string containing "dot dot" sequences (/../) to switch arbitrary moment locale. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223451](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223451>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) ** CVEID: **[CVE-2021-35561](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35561>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the Utility component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/211637](<https://exchange.xforce.ibmcloud.com/vulnerabilities/211637>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2022-0492](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0492>) ** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the cgroups v1 release_agent feature. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges and bypass namespace isolation unexpectedly. CVSS Base score: 7.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/218777](<https://exchange.xforce.ibmcloud.com/vulnerabilities/218777>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2022-22970](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22970>) ** DESCRIPTION: **Vmware Tanzu Spring Framework is vulnerable to a denial of service, caused by a flaw in the handling of file uploads. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 6.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/226491](<https://exchange.xforce.ibmcloud.com/vulnerabilities/226491>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2022-29885](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29885>) ** DESCRIPTION: **Apache Tomcat is vulnerable to a denial of service, caused by an use-after-free flaw in theEncryptInterceptor in an untrusted network. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/226170](<https://exchange.xforce.ibmcloud.com/vulnerabilities/226170>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2022-25169](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25169>) ** DESCRIPTION: **Apache Tika is vulnerable to a denial of service, caused by improper input validation in the BPG parser. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 6.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/226627](<https://exchange.xforce.ibmcloud.com/vulnerabilities/226627>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2022-22976](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22976>) ** DESCRIPTION: **Spring Security could provide weaker than expected security, caused by an integer overflow vulnerability which results in a lack of salt rounds when using the BCrypt class with the maximum work factor. A local authenticated attacker could exploit this vulnerability to launch further attacks on the system. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/226733](<https://exchange.xforce.ibmcloud.com/vulnerabilities/226733>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N) ** CVEID: **[CVE-2022-21299](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21299>) ** DESCRIPTION: **An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217594](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217594>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2021-4028](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4028>) ** DESCRIPTION: **Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a use-after-free in the implementation of RDMA communications manager listener code. By sending a specially-crafted request, an attacker could exploit this vulnerability to crash the system or gain elevated privileges on the system. CVSS Base score: 7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/226067](<https://exchange.xforce.ibmcloud.com/vulnerabilities/226067>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2022-22968](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22968>) ** DESCRIPTION: **Spring Framework could provide weaker than expected security, caused by a data binding rules vulnerability in which the patterns for disallowedFields on a DataBinder are case sensitive. The case sensitivity allows that a field is insufficiently protected unless it is listed with both upper and lower case for the first character of the field. An attacker could exploit this vulnerability to launch further attacks on the system. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/224374](<https://exchange.xforce.ibmcloud.com/vulnerabilities/224374>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2022-34305](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34305>) ** DESCRIPTION: **Apache Tomcat is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability using the Form authentication example in the examples web application to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/229596](<https://exchange.xforce.ibmcloud.com/vulnerabilities/229596>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) ** CVEID: **[CVE-2019-17571](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571>) ** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization of untrusted data in SocketServer. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173314](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173314>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2022-23305](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305>) ** DESCRIPTION: **Apache Log4j is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the JDBCAppender, which could allow the attacker to view, add, modify or delete information in the back-end database. CVSS Base score: 6.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217461](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217461>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) ** CVEID: **[CVE-2022-23307](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23307>) ** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the in Apache Chainsaw component. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217462](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217462>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2022-23302](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302>) ** DESCRIPTION: **Apache Log4j could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in JMSSink. By sending specially-crafted JNDI requests using TopicConnectionFactoryBindingName configuration, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/217460](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217460>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2021-4104](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104>) ** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data when the attacker has write access to the Log4j configuration. If the deployed application is configured to use JMSAppender, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/215048](<https://exchange.xforce.ibmcloud.com/vulnerabilities/215048>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-9488](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488>) ** DESCRIPTION: **Apache Log4j is vulnerable to a man-in-the-middle attack, caused by improper certificate validation with host mismatch in the SMTP appender. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/180824](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180824>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) ** CVEID: **[CVE-2020-9493](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9493>) ** DESCRIPTION: **Apache Chainsaw could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw when reading the log events. By sending specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/203829](<https://exchange.xforce.ibmcloud.com/vulnerabilities/203829>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** IBM X-Force ID: **217968 ** DESCRIPTION: **FasterXML jackson-databind is vulnerable to a denial of service, caused by an error when using JDK serialization to serialize and deserialize JsonNode values. By sending a specially crafted request, an attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 5.9 CVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/217968 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/217968>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) ## Affected Products and Versions Affected Product(s)| Version(s) ---|--- IBM DRM| 2.0.6.13 ## Remediation/Fixes To obtain fixes for all reported issues, customers are advised first to upgrade to v2.0.6.13, and then apply the latest FixPack 2.0.6.14. _Product_| _VRMF_| _APAR _| _Remediation / First Fix_ ---|---|---|--- IBM Data Risk Manager| 2.0.6.13| - | 1) Apply [DRM_2.0.6.14_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.13&platform=Linux&function=all>) ---|---|---|--- ## Workarounds and Mitigations None ## Get Notified about Future Security Bulletins Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this. ### References [Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> "Link resides outside of ibm.com" ) [On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> "Link resides outside of ibm.com" ) Off ## Related Information [IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) [IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>) ## Change History 29 Jul 2022: Initial Publication *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. ## Disclaimer Review the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/bulletin/#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment. ## Document Location Worldwide [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSJQ6V","label":"IBM Data Risk Manager"},"Component":"","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"2.0.6.13","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]


Affected Software


CPE Name Name Version
ibm data risk manager 2.0.6.13

Related