Lucene search

K
ibmIBM93D2B198EB57E740FB9D9A768D209D93B29315FDB5E5AA8CE522F8A8449A406D
HistoryNov 28, 2022 - 2:09 p.m.

Security Bulletin: IBM UrbanCode Deploy (UCD) is vulnerable to denial of service due to Jettison-json (CVE-2022-40149, CVE-2022-40150)

2022-11-2814:09:17
www.ibm.com
24

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

Summary

Jettison-json is used by IBM UrbanCode Deploy (UCD) for parsing JSON data. A remote authenticated user may cause high memory usage by sending a request containing specially crafted JSON data. (CVE-2022-40149, CVE-2022-40150)

Vulnerability Details

CVEID:CVE-2022-40149
**DESCRIPTION:**jettison-json Jettison is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted XML or JSON data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236352 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-40150
**DESCRIPTION:**jettison-json Jettison is vulnerable to a denial of service, caused by an out of memory flaw. By sending a specially-crafted XML or JSON data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
UCD - IBM UrbanCode Deploy 6.2.0.0 - 6.2.7.17
UCD - IBM UrbanCode Deploy 7.0.5.0 - 7.0.5.12
UCD - IBM UrbanCode Deploy 7.1.0.0 - 7.1.2.8
UCD - IBM UrbanCode Deploy 7.2.0.0 - 7.2.3.1

Remediation/Fixes

IBM strongly suggests the following:

Upgrade to any of 6.2.7.18, 7.0.5.13, 7.1.2.9, 7.2.3.2, or 7.3.0.0 or later

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm urbancode deployeq7.3.0.0

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

Related for 93D2B198EB57E740FB9D9A768D209D93B29315FDB5E5AA8CE522F8A8449A406D