Lucene search

K
ibmIBMCC6EC6642F504040F49FD6C9B2F8ED7A7B6193435EC54E02906DCB6C0648A228
HistoryOct 07, 2022 - 4:01 p.m.

Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud due to April 2022 CPU (minus CVE-2022-21426)

2022-10-0716:01:56
www.ibm.com
47
ibm java sdk
liberty for java
vulnerabilities
java se
cvss
cloud foundry

AI Score

6.7

Confidence

High

EPSS

0.004

Percentile

75.5%

Summary

There are multiple vulnerabilities in the IBM® SDK, Java™ Technology Edition that is shipped with Liberty for Java for IBM Cloud. These might affect some configurations of Liberty for Java for IBM Cloud. These products have addressed the applicable CVEs. If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities is applicable to your code. For a complete list of vulnerabilities, refer to the link for “IBM Java SDK Security Bulletin” located in the References section for more information.

Vulnerability Details

**CVEID:**CVE-2022-21496 DESCRIPTION: An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224777 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**CVE-2022-21434 DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224718 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**CVE-2022-21443 DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224726 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

These vulnerabilities affect all versions of Liberty for Java for IBM Cloud up to and including v3.70.

Remediation/Fixes

To upgrade to Liberty for Java for IBM Cloud v3.71-20220621-1017 or higher, you must re-stage or re-push your application

To find the current version of Liberty for Java for IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands:

cf ssh <appname> -c “cat staging_info.yml”

Look for similar lines:

{“detected_buildpack”:“Liberty for Java™ (WAR, liberty-xxx, v3.71-20220621-1017, xxx, env)“,”start_command”:“.liberty/initial_startup.rb”}

To re-stage your application using the command-line Cloud Foundry client, use the following command:

cf restage <appname>

To re-push your application using the command-line Cloud Foundry client, use the following command:

cf push <appname>

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmthese_vulnerabilities_affectMatchany
VendorProductVersionCPE
ibmthese_vulnerabilities_affectanycpe:2.3:a:ibm:these_vulnerabilities_affect:any:*:*:*:*:*:*:*

AI Score

6.7

Confidence

High

EPSS

0.004

Percentile

75.5%