Lucene search

K
ibmIBMC23DCC9148257FA64991DBAA915D0F26FF1220405B33493B5C4DA79CC6DA13A5
HistoryDec 01, 2022 - 12:42 a.m.

Security Bulletin: IBM API Connect is impacted by a vulnerability in Apache Xalan Java XSLT library (CVE-2022-34169)

2022-12-0100:42:16
www.ibm.com
41

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.002 Low

EPSS

Percentile

53.3%

Summary

IBM API Connect is impacted by a vulnerability in Apache Xalan Java XSLT library. IBM API Connect has addressed the vulnerability in CVE-2022-34169.

Vulnerability Details

CVEID:CVE-2022-34169
**DESCRIPTION:**The Apache Xalan Java XSLT library could allow a remote attacker to execute arbitrary code on the system, caused by an integer truncation issue when processing malicious XSLT stylesheets. By using specially crafted XSLT stylesheets, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231489 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

API Connect V10.0.0.0 - V10.0.5.0
API Connect V10.0.1.0 - V10.0.1.8

Remediation/Fixes

Affected Product Addressed in VRMF Remediation/First Fix

IBM API Connect

V10.0.0.0 - V10.0.5.0

| V10.0.5.1| Addressed in IBM API Connect V10.0.5.1

The analytics component is impacted.

Follow this link and find the appropriate package.

<https://www.ibm.com/support/pages/node/6607906&gt;

IBM API Connect

V10.0.1.0 - V10.0.1.8

| 10.0.1.9|

Addressed in IBM API Connect V10.0.1.9

The analytics component is impacted.

Follow this link and find the appropriate package.

<https://www.ibm.com/support/pages/node/6825013&gt;

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmapi_connectMatch10
CPENameOperatorVersion
ibm api connecteq10

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.002 Low

EPSS

Percentile

53.3%