Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMAAB7546D55535C212124ACA05CA15A342B7367AA96D7ECCEEBB3F4E25B01CBF8
HistoryMar 03, 2023 - 8:42 p.m.

Security Bulletin: Multiple Vulnerabilities in Json4j Affects Watson Machine Learning Accelerator

2023-03-0320:42:40
www.ibm.com
44

0.006 Low

EPSS

Percentile

77.8%

JSON

Summary

Watson Machine Learning Accelerator is affected by multiple json4j CVEs (CVE-2022-23529, CVE-2022-23539, CVE-2022-23540, CVE-2022-23541, CVE-2022-45690, CVE-2022-46175, CVE-2022-4742). We fixed by removing json4j.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s) Version(s)
Watson Machine Learning Accelerator on Cloud Pak for Data All

Remediation/Fixes

Watson Machine Learning Accelerator version 3.1.0 and above fixed json4j CVEs by replacing json4j.

1. For Watson Machine Learning Accelerator version 2.4.x, 2.5.0, 2.6.0, 3.0.0

Follow <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=accelerator-upgrading&gt; to upgrade from WMLA 2.4.x/2.5.0/2.6.0/3.0.0 to WMLA 3.1.0 or above version.

2. For Watson Machine Learning Accelerator version 2.3.x

To address the affected version, first upgrade to IBM Watson Machine Learning Accelerator 2.3.5 by following the document <https://www.ibm.com/docs/en/wmla/2.3?topic=installation-install-upgrade&gt;
Then upgrade from WMLA 2.3.5 to WMLA 3.1.0 or above version following <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=accelerator-upgrading&gt;

3. For Watson Machine Learning Accelerator version 2.2.x

To address the affected version

a. upgrade to IBM Watson Machine Learning Accelerator 2.2.6 by following the document <https://www.ibm.com/docs/en/cloud-paks/cp-data/3.5.0?topic=accelerator-upgrading-watson-machine-learning&gt;

b. upgrade from IBM Watson Machine Learning Accelerator 2.2.6 to IBM Watson Machine Learning Accelerator 2.3.1 following <https://www.ibm.com/docs/en/wmla/2.3?topic=installation-install-upgrade&gt;

c. upgrade all the way to IBM Watson Machine Learning Accelerator 2.3.5 following <https://www.ibm.com/docs/en/wmla/2.3?topic=installation-install-upgrade&gt;

d. upgrade from WMLA 2.3.5 to WMLA 3.1.0 or above version following <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=accelerator-upgrading&gt;

Workarounds and Mitigations

None

Related

ibm 34
veracode 7
gitlab 1
github 9
osv 14
cvelist 6
prion 6
cve 7
redhatcve 6
nessus 11
openvas 3
debiancve 1
githubexploit 3
fedora 1
ubuntucve 1
thn 1
hivepro 1
redhat 11
oracle 1
ibm
ibm
Security Bulletin: Maximo Application Suite uses jsonwebtoken package which is vulnerable to CVE-2022-23541, CVE-2022-23539, CVE-2022-23529 and CVE-2022-23540
2023-03-27 20:08:12
Security Bulletin: IBM Event Streams is affected by vulnerabilities in the jsonwebtoken package (CVE-2022-23529, CVE-2022-23539, CVE-2022-23540, CVE-2022-23541)
2023-04-04 07:11:29
Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to multiple jsonwebtoken CVEs
2023-01-30 10:40:47
veracode
veracode
Unrestricted Key Type
2022-12-23 07:07:33
Denial Of Service (DoS)
2022-12-15 03:36:16
Incorrect Verification Of Tokens
2022-12-23 06:16:20
gitlab
gitlab
hutool-json stack overflow vulnerability
2022-12-13 00:00:00
github
github
hutool-json stack overflow vulnerability
2022-12-13 15:30:26
jsonwebtoken unrestricted key type could lead to legacy keys usage
2022-12-22 03:32:22
json-pointer vulnerable to Prototype Pollution
2022-12-26 09:30:25
osv
osv
hutool-json stack overflow vulnerability
2022-12-13 15:30:26
CVE-2022-23540
2022-12-22 19:15:08
CVE-2022-45690
2022-12-13 15:15:11
cvelist
cvelist
CVE-2022-23541 jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
2022-12-22 17:52:22
CVE-2022-23540 jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()
2022-12-22 18:02:24
CVE-2022-23539 jsonwebtoken unrestricted key type could lead to legacy keys usage
2022-12-22 23:20:47
prion
prion
Design/Logic Flaw
2022-12-22 18:15:00
Stack overflow
2022-12-13 15:15:00
Type confusion
2022-12-23 00:15:00
cve
cve
CVE-2022-45690
2022-12-13 15:15:00
CVE-2022-23539
2022-12-23 00:15:00
CVE-2022-4742
2022-12-26 08:15:00
redhatcve
redhatcve
CVE-2022-23541
2023-02-23 18:59:15
CVE-2022-23540
2023-02-23 18:29:15
CVE-2022-4742
2022-12-26 13:04:50
nessus
nessus
Debian DLA-3665-1 : node-json5 - LTS security update
2023-11-25 00:00:00
Fedora 37 : pgadmin4 (2023-e7297a4aeb)
2023-01-29 00:00:00
Auth0 JsonWebtoken < 9.0.0 Arbitrary File Write (deprecated)
2023-01-13 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-6758-1)
2024-05-01 00:00:00
Fedora: Security Advisory for pgadmin4 (FEDORA-2023-e7297a4aeb)
2023-01-30 00:00:00
Debian: Security Advisory (DLA-3665-1)
2023-11-27 00:00:00
debiancve
debiancve
CVE-2022-46175
2022-12-24 04:15:00
githubexploit
githubexploit
Exploit for Improper Verification of Cryptographic Signature in Auth0 Jsonwebtoken
2023-01-17 10:34:10
Exploit for CVE-2022-23529
2023-01-16 02:35:54
Exploit for CVE-2022-23529
2023-01-16 02:35:54
fedora
fedora
[SECURITY] Fedora 37 Update: pgadmin4-6.19-1.fc37
2023-01-30 01:27:10
ubuntucve
ubuntucve
CVE-2022-46175
2022-12-24 00:00:00
thn
thn
Severe Security Flaw Found in "jsonwebtoken" Library Used by 22,000+ Projects
2023-01-10 08:54:00
hivepro
hivepro
New Vulnerability Found in the JsonWebToken Open-Source Project
2023-01-10 12:11:46
redhat
redhat
(RHSA-2023:3265) Moderate: Red Hat OpenShift Data Foundation 4.12.3 Security and Bug fix update
2023-05-23 09:15:39
(RHSA-2023:3815) Important: Service Registry (container images) release and security update [2.4.3 GA]
2023-06-27 11:27:30
(RHSA-2023:0634) Moderate: Red Hat OpenShift (Logging Subsystem) security update
2023-02-09 13:59:38
oracle
oracle
Oracle Critical Patch Update Advisory - October 2023
2023-10-17 00:00:00

0.006 Low

EPSS

Percentile

77.8%

JSON
Related for AAB7546D55535C212124ACA05CA15A342B7367AA96D7ECCEEBB3F4E25B01CBF8
ibm34veracode7gitlab1github9osv14cvelist6prion6cve7redhatcve6nessus11openvas3debiancve1githubexploit3fedora1ubuntucve1thn1hivepro1redhat11oracle1