Security Bulletin: Sterling Control Center v6.2.1 is vulnerable due to Apache ActiveMQ issue

Summary

Sterling Control Center v6.2.1 is dependent on Apache ActiveMQ, which is vulnerable to CVE-2022-41678.

Vulnerability Details

CVEID:CVE-2022-41678
**DESCRIPTION:**Apache ActiveMQ could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the Jolokia component. By sending specially crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/272445 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

Product

|

Version

|

Remediation

—|—|—

IBM Sterling Control Center

|

6.2.1.0 GA through iFix13

|

6.2.1.0 iFix13 Fix Central - 6.2.1.0

Workarounds and Mitigations

• In 6.2.1, Apache Active MQ version is upgraded to 5.16.7 which has the fix for the mentioned vulnerability.
• Remediation Fix is also available with latest release of v6.3.1.0 and later as well.

Note: We encourage our customers with EOS v6.1.3.0 and v6.3.0.0 to upgrade to the latest release as they will not be receiving security patches.