Lucene search

K
ibmIBMBB9DB44BB01E7993D7CD15BC25628599D706DF5EBDF4A344890D9E1A74F90F9B
HistoryJan 24, 2023 - 7:54 a.m.

Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to remote code execution due to Apache Commons Text [CVE-2022-42889]

2023-01-2407:54:04
www.ibm.com
90
ibm sterling partner engagement manager
remote code execution
apache commons text
cve-2022-42889
vulnerability
arbitrary code
version 6.1.2
version 6.2.0
version 6.2.1

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.9

Confidence

High

EPSS

0.971

Percentile

99.8%

Summary

IBM Sterling Partner Engagement Manager has addressed a Publicly disclosed vulnerability that are published by Apache Commons - Collections v3.2.1 [CVE-2022-42889]

Vulnerability Details

**CVEID:**CVE-2022-42889 DESCRIPTION: Apache Commons Text could allow a remote attacker to execute arbitrary code on the system, caused by an insecure interpolation defaults flaw. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238560 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, 6.2.1

Remediation/Fixes

IBM strongly suggests the following remediation / fixes:

Product Version Remediation
IBM Sterling Partner Engagement Manager Essentials Edition 6.1.2.7 http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Essentials_6.1.2.7&source=SAR
IBM Sterling Partner Engagement Manager Standard Edition 6.1.2.7 http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.1.2.7&source=SAR
IBM Sterling Partner Engagement Manager Essentials Edition 6.2.0.5 http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Essentials_6.2.0.5&source=SAR
IBM Sterling Partner Engagement Manager Standard Edition 6.2.0.5 http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.2.0.5&source=SAR
IBM Sterling Partner Engagement Manager Essentials Edition 6.2.1.2 http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Essentials_6.2.1.2&source=SAR
IBM Sterling Partner Engagement Manager Standard Edition 6.2.1.2 https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.2.1.2&source=SAR

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmmulti-enterprise_relationship_managementMatch6.1
OR
ibmmulti-enterprise_relationship_managementMatch6.2
OR
ibmmulti-enterprise_relationship_managementMatch6.2.1
VendorProductVersionCPE
ibmmulti-enterprise_relationship_management6.1cpe:2.3:a:ibm:multi-enterprise_relationship_management:6.1:*:*:*:*:*:*:*
ibmmulti-enterprise_relationship_management6.2cpe:2.3:a:ibm:multi-enterprise_relationship_management:6.2:*:*:*:*:*:*:*
ibmmulti-enterprise_relationship_management6.2.1cpe:2.3:a:ibm:multi-enterprise_relationship_management:6.2.1:*:*:*:*:*:*:*

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.9

Confidence

High

EPSS

0.971

Percentile

99.8%