Security Bulletin: IBM Sterling B2B Integrator vulnerable due to Spring Framework (CVE-2021-22096, CVE-2022-22950)


## Summary IBM Sterilng B2B Integrator has addressed security vulnerabilities in Spring Framework. ## Vulnerability Details ** CVEID: **[CVE-2021-22096](<https://vulners.com/cve/CVE-2021-22096>) ** DESCRIPTION: **VMware Spring Framework could allow a remote attacker to bypass security restrictions. By sending a specially-crafted input, an attacker could exploit this vulnerability to cause the insertion of additional log entries. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/212430](<https://exchange.xforce.ibmcloud.com/vulnerabilities/212430>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) ** CVEID: **[CVE-2022-22950](<https://vulners.com/cve/CVE-2022-22950>) ** DESCRIPTION: **VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 5.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223096](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223096>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L) ## Affected Products and Versions **Affected Product(s)**| **Version(s)** ---|--- IBM Sterling B2B Integrator| - IBM Sterling B2B Integrator| -, 6..1.1.0 - ## Remediation/Fixes ** Product**| **Version**| **APAR**| **Remediation & Fix** ---|---|---|--- IBM Sterling B2B Integrator| -| IT41291| Apply,, or IBM Sterling B2B Integrator| - - | IT41291 | Apply, or The version , and are available on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>). The IIM version of is available in IBM Passport Advantage. The container version of is available in IBM Entitled Registry with following tags. cp.icr.io/cp/ibm-b2bi/b2bi: for IBM Sterling B2B Integrator cp.icr.io/cp/ibm-sfg/sfg: for IBM Sterling File Gateway ## Workarounds and Mitigations None ##

Affected Software

CPE Name Name Version
ibm sterling b2b integrator
ibm sterling b2b integrator