IBMCFA03ABF61D9439983A3D885784DF62D4298B79395FB8BF5A8A3EABB5C2F99E7Security Bulletin: IBM SPSS Statistics is vulnerable to Denial of Service Attack (CVE-2022-43855)
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
9.0%
Summary
The IO Module is a separate library that users can code to in order to read and write SPSS .sav data files. A vulnerability was discovered in which attempts to write to an unwritable location can lead to file handle leakage and eventual file handle exhaustion.
Vulnerability Details
CVEID:CVE-2022-43855
**DESCRIPTION:**IBM SPSS Statistics could allow a local user to create multiple files that could exhaust the file handles capacity and cause a denial of service.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239235 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| SPSS Statistics | 28.0 |
| SPSS Statistics | 26.0 |
| SPSS Statistics | 27.0.1 |
Remediation/Fixes
The fix went into IBM SPSS Statistics 29.0.2. A downloadable patch to the Programmability SDK for versions 27-29 can be found here: https://community.ibm.com/community/user/ai-datascience/viewdocument/extensions-tools-and-utilities-for?CommunityKey=886b6874-0fb1-402c-8243-c70ef8179a99&tab=librarydocuments
Workarounds and Mitigations
None
Affected configurations
Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
9.0%