Security Bulletin: hsqldb-2.0.0.jar shipped with IBM Tivoli Business Service Manager is vulnerable to remote code execution (CVE-2022-41853)

Summary

hsqldb is a component shipped with IBM Tivoli Business Service Manager. Information about a security vulnerability affecting hsqldb has been published in a security bulletin. hsqldb is no longer used and can be safely removed.

Vulnerability Details

CVEID:CVE-2022-41853
**DESCRIPTION:**HSQLDB could allow a remote attacker to execute arbitrary code on the system, caused by improper validation of user-supplied input by the java.sql.Statement or java.sql.PreparedStatement components. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237983 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now using the following procedure.

Please note in the steps that JazzSMHOME denotes the home directory where JazzSM is installed.

For IBM Tivoli Business Service Manager 6.2.0 Dashboard server:

1. Stop the JazzSM server:

JazzSMHOME/profile/bin/stopServer.sh server1

2. Navigate to the following directory:

JazzSMHOME/profile/installedApps/JazzSMNode01Cell/isc.ear/sla.war/WEB-INF/lib

3. Delete the hsqldb-2.0.0.jar file.

4. Start the JazzSM server:

JazzSMHOME/profile/bin/startServer.sh server1

Workarounds and Mitigations

None