Lucene search

IBMB226954B30CC30A148533F8AE72F41E5DB33B29DDDCAE7116FEA2EB7144B9A94

HistoryApr 06, 2023 - 2:11 p.m.

Security Bulletin: IBM Watson Explorer is affected by a vulnerability in Apache UIMA

2023-04-0614:11:09

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

45.8%

JSON

Summary

IBM Watson Explorer OneWEX and Foundational Components contains a vulnerable version of Apache UIMA.

Vulnerability Details

CVEID:CVE-2022-32287
**DESCRIPTION:**Apache UIMA could allow a remote attacker to traverse directories on the system, caused by improper validation of user supplied input in a FileUtil class used by the PEAR management component. An attacker could use a specially-crafted archive file containing “dot dot” sequences (/…/) to create files outside the designated target directory using carefully crafted ZIP entry names.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239434 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Watson Explorer DAE
oneWEX Components

12.0.0.0, 12.0.0.1

12.0.1,

12.0.2.0 - 12.0.2.2,

12.0.3.0 - 12.0.3.10

IBM Watson Explorer DAE
Foundational Components|

12.0.0,

12.0.1,

12.0.2.0 - 12.0.2.2, 12.0.3.0 - 12.0.3.10

IBM Watson Explorer
Foundational Components| 11.0.0.0 - 11.0.0.3,
11.0.1,
11.0.2.0 - 11.0.2.14

Remediation/Fixes

The table reflects product names at the time the specified versions were released. To use the links to Fix Central in this table, you must first log in to the IBM Support: Fix Central site at <http://www.ibm.com/support/fixcentral/>.

Affected Product	Affected Versions	How to acquire and apply the fix
IBM Watson Explorer DAE
oneWEX Components

12.0.0.0, 12.0.0.1

12.0.1,

12.0.2.0 - 12.0.2.2,

12.0.3.0 - 12.0.3.10

Upgrade to Version 12.0.3.11.

See Watson Explorer Version 12.0.3.11 OneWEX Components for download information and instructions.

IBM Watson Explorer DAE
Foundational Components|

12.0.0,

12.0.1,

12.0.2.0 - 12.0.2.2, 12.0.3.0 - 12.0.3.10

Upgrade to Version 12.0.3.11.

See Watson Explorer Version 12.0.3.11 Foundational Components for download information and instructions.

IBM Watson Explorer
Foundational Components| 11.0.0.0 - 11.0.0.3,
11.0.1,
11.0.2.0 - 11.0.2.14|

Upgrade to Version 11.0.2.15.

See Watson Explorer Version 11.0.2.15 Foundational Components for download information and instructions.

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm watson explorereq11.0.0
ibm watson explorereq11.0.1
ibm watson explorereq11.0.2
ibm watson explorereq12.0.0
ibm watson explorereq12.0.1
ibm watson explorereq12.0.2
ibm watson explorereq12.0.3

Name	Operator	Version
ibm watson explorer	eq	11.0.0
ibm watson explorer	eq	11.0.1
ibm watson explorer	eq	11.0.2
ibm watson explorer	eq	12.0.0
ibm watson explorer	eq	12.0.1
ibm watson explorer	eq	12.0.2
ibm watson explorer	eq	12.0.3