Lucene search

K
ibmIBMCFA03ABF61D9439983A3D885784DF62D4298B79395FB8BF5A8A3EABB5C2F99E7
HistoryMar 07, 2024 - 7:29 p.m.

Security Bulletin: IBM SPSS Statistics is vulnerable to Denial of Service Attack (CVE-2022-43855)

2024-03-0719:29:07
www.ibm.com
12
ibm spss
denial of service
vulnerability
file handles
patch
programmability sdk

6.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

Summary

The IO Module is a separate library that users can code to in order to read and write SPSS .sav data files. A vulnerability was discovered in which attempts to write to an unwritable location can lead to file handle leakage and eventual file handle exhaustion.

Vulnerability Details

CVEID:CVE-2022-43855
**DESCRIPTION:**IBM SPSS Statistics could allow a local user to create multiple files that could exhaust the file handles capacity and cause a denial of service.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239235 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
SPSS Statistics 28.0
SPSS Statistics 26.0
SPSS Statistics 27.0.1

Remediation/Fixes

The fix went into IBM SPSS Statistics 29.0.2. A downloadable patch to the Programmability SDK for versions 27-29 can be found here: https://community.ibm.com/community/user/ai-datascience/viewdocument/extensions-tools-and-utilities-for?CommunityKey=886b6874-0fb1-402c-8243-c70ef8179a99&tab=librarydocuments

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmspss_statisticsMatch26
OR
ibmspss_statisticsMatch27.0.1
OR
ibmspss_statisticsMatch28
OR
ibmspss_statisticsMatch29

6.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

Related for CFA03ABF61D9439983A3D885784DF62D4298B79395FB8BF5A8A3EABB5C2F99E7