Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMADF3B67E678F7CFA50B6942AD58B93BE96DE5F97AD71901D3E4AF87CA1C1E9BB
HistoryApr 11, 2024 - 1:17 p.m.

Security Bulletin: IBM Sterling B2B Integrator B2B API vulnerable to multiple issues due to Apache CXF

2024-04-1113:17:57
www.ibm.com
3
ibm sterling b2b integrator
apache cxf
vulnerabilities
security bulletin
remediation
fix
cve-2022-46363
cve-2021-30468
cve-2021-22696
cve-2022-46364
directory listing
code exfiltration
denial of service

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.039 Low

EPSS

Percentile

91.9%

JSON

Summary

IBM Sterling B2B Integrator uses Apache CXF. This bulletin identifies the steps to take to address the vulnerabilities.

Vulnerability Details

CVEID:CVE-2022-46363
**DESCRIPTION:**Apache CXF could allow a remote attacker to obtain sensitive information, caused by a flaw when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. By sending a specially-crafted request, an attacker could exploit this vulnerability to perform directory listing or code exfiltration, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242009 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2021-30468
**DESCRIPTION:**Apache CXF is vulnerable to a denial of service, caused by an infinite loop flaw in the JsonMapObjectReaderWriter function. By sending a specially-crafted JSON to a web service, a remote attacker could exploit this vulnerability to consume available CPU resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203830 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-22696
**DESCRIPTION:**Apache CXF is vulnerable to a denial of service, caused by improper validation of request_uri parameter by the OAuth 2 authorization service. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition on the authorization server.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199335 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-46364
**DESCRIPTION:**Apache CXF is vulnerable to server-side request forgery, caused by a flaw in parsing the href attribute of XOP:Include in MTOM requests. By using a specially-crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242008 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Sterling B2B Integrator 6.0.0.0 - 6.0.3.9
IBM Sterling B2B Integrator 6.1.0.0 - 6.1.2.3
IBM Sterling B2B Integrator 6.2.0.0

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product Version Remediation & Fix
IBM Sterling B2B Integrator 6.0.0.0 - 6.0.3.9 Apply B2BI 6.1.2.5 or 6.2.0.1
IBM Sterling B2B Integrator 6.1.0.0 - 6.1.2.3 Apply B2BI 6.1.2.5 or 6.2.0.1
IBM Sterling B2B Integrator 6.2.0.0 Apply B2BI 6.2.0.1

The IIM versions of 6.1.2.5 and 6.2.0.1 are available on Fix Central.

The container version of 6.1.2.5 and 6.2.0.1 are available in IBM Entitled Registry.

Workarounds and Mitigations

None

Related

ibm 52
redhat 23
github 4
veracode 4
redhatcve 4
prion 4
cve 4
osv 8
cnvd 2
nessus 12
qualysblog 2
oracle 5
ibm
ibm
Security Bulletin: Apache CXF vulnerability identified in IBM Tivoli Application Dependency Discovery Manager
2024-02-14 07:30:25
Security Bulletin: WebSphere Application Server Liberty is vulnerable to server-side request forgery due to Apache CXF
2023-02-16 03:56:40
Security Bulletin: IBM ECM Content Management Interoperability Services (CMIS) cfx-core security vulnerabilities CVE-2022-46363, CVE-2022-46364
2023-05-03 18:01:09
redhat
redhat
(RHSA-2023:0483) Critical: Red Hat Fuse 7.11.1.P1 security update
2023-01-26 21:53:56
(RHSA-2022:7273) Moderate: Red Hat JBoss Web Server 5.7.0 release and security update
2022-11-02 10:39:18
(RHSA-2023:0544) Important: Red Hat Camel for Spring Boot 3.14.5 Patch 1 release and security update
2023-01-30 17:10:04
github
github
Infinite loop in Apache CFX
2022-01-06 18:37:14
Authorization service vulnerable to DDos attacks in Apache CFX
2021-05-13 22:31:05
Apache CXF vulnerable to Exposure of Sensitive Information
2022-12-13 15:30:27
veracode
veracode
Denial Of Service (DoS)
2021-04-05 06:44:16
Denial Of Service (DoS)
2021-06-17 08:36:35
Path Traversal
2022-12-14 03:52:21
redhatcve
redhatcve
CVE-2021-22696
2022-04-26 22:22:45
CVE-2021-30468
2021-06-17 18:24:49
CVE-2022-46363
2022-12-21 21:04:48
prion
prion
Authorization
2021-04-02 10:15:00
Design/Logic Flaw
2021-06-16 12:15:00
Remote code execution
2022-12-13 15:15:00
cve
cve
CVE-2021-22696
2021-04-02 10:15:00
CVE-2021-30468
2021-06-16 12:15:00
CVE-2022-46364
2022-12-13 17:15:00
osv
osv
Infinite loop in Apache CFX
2022-01-06 18:37:14
CVE-2021-22696
2021-04-02 10:15:12
Authorization service vulnerable to DDos attacks in Apache CFX
2021-05-13 22:31:05
cnvd
cnvd
Apache CXF Resource Management Error Vulnerability (CNVD-2021-70100)
2021-07-13 00:00:00
Apache CXF input validation error vulnerability
2022-12-16 00:00:00
nessus
nessus
RHEL 7 / 9 : Red Hat JBoss Enterprise Application Platform 7.4 (RHSA-2023:0163)
2023-01-13 00:00:00
Oracle Business Intelligence Publisher (OBIEE) (July 2023 CPU)
2023-07-21 00:00:00
Zimbra Collaboration Server 9.0.0 < 9.0.0 Patch 33 Multiple Vulnerabilities
2023-07-20 00:00:00
qualysblog
qualysblog
Oracle Patch Tuesday April 2023 Security Update Review
2023-04-19 11:47:21
Oracle Patch Tuesday, July 2023 Security Update Review
2023-07-19 15:56:06
oracle
oracle
Oracle Critical Patch Update Advisory - July 2023
2023-07-18 00:00:00
Oracle Critical Patch Update Advisory - October 2021
2021-10-19 00:00:00
Oracle Critical Patch Update Advisory - April 2023
2023-04-18 00:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.039 Low

EPSS

Percentile

91.9%

JSON
Related for ADF3B67E678F7CFA50B6942AD58B93BE96DE5F97AD71901D3E4AF87CA1C1E9BB
ibm52redhat23github4veracode4redhatcve4prion4cve4osv8cnvd2nessus12qualysblog2oracle5