Lucene search

IBM96AB4E997152F9175A9F1AC07282BC23CE87107D088016A8EBFBA5A88366918C

HistoryMar 30, 2023 - 7:17 p.m.

Security Bulletin: IBM UrbanCode Deploy (UCD) is vulnerable to denial of service due to Jettison-json (CVE-2022-45693, CVE-2022-45685)

2023-03-3019:17:31

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

27.9%

JSON

Summary

Jettison-json is used by IBM UrbanCode Deploy (UCD) for parsing JSON data. A remote authenticated user may cause high memory usage by sending a request containing specially crafted JSON data. (CVE-2022-45693, CVE-2022-45685)

Vulnerability Details

CVEID:CVE-2022-45693
**DESCRIPTION:**Jettison is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242274 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-45685
**DESCRIPTION:**Jettison is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending an overly long string using JSON data, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242596 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
UCD - IBM UrbanCode Deploy	6.2 - 6.2.7.19
UCD - IBM UrbanCode Deploy	7.0 - 7.0.5.14
UCD - IBM UrbanCode Deploy	7.1 - 7.1.2.10
UCD - IBM UrbanCode Deploy	7.2 - 7.2.3.3
UCD - IBM UrbanCode Deploy	7.3 - 7.3.0.1

Remediation/Fixes

IBM strongly suggests the following:

Upgrade to any of 6.2.7.20,7.0.5.15, 7.1.2.11, 7.2.3.4, or 7.3.1.0 or later

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm urbancode deployeq7.3.1.0

CPE	Name	Operator	Version
	ibm urbancode deploy	eq	7.3.1.0

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

27.9%

JSON

Related for 96AB4E997152F9175A9F1AC07282BC23CE87107D088016A8EBFBA5A88366918C