Lucene search

K
ibmIBMD217E46A21D57F6E2A2BF7B705F5AB42A912E70179C85B686B09E652D0CFD1B3
HistoryFeb 01, 2023 - 11:04 a.m.

Security Bulletin: IBM Cloud Pak for Multicloud Management has applied security fixes for its use of Apache Commons [CVE-2022-42889 and CVE-2022-33980]

2023-02-0111:04:10
www.ibm.com
75
ibm cloud pak
multicloud management
security fixes
apache commons
cve-2022-42889
cve-2022-33980
vulnerability
remote code execution
interpolation defaults
configuration
cvss
upgrade

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.972

Percentile

99.8%

Summary

IBM Cloud Pak for Multicloud Management has applied security fixes for its use of Apache Commons [CVE-2022-42889 and CVE-2022-33980]

Vulnerability Details

CVEID:CVE-2022-42889
**DESCRIPTION:**Apache Commons Text could allow a remote attacker to execute arbitrary code on the system, caused by an insecure interpolation defaults flaw. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238560 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-33980
**DESCRIPTION:**Apache Commons Configuration could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when using the interpolation defaults. By using a specially-crafted configuratrion, an attacker could exploit this vulnerability to execute arbitrary code or perform unintentional contact with remote servers .
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230563 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud Pak for Multicloud Management Monitoring 2.0 - 2.3 Fix Pack 5

Remediation/Fixes

IBM strongly suggests upgrading to IBM Cloud Pak for Multicloud Management 2.3 Fix Pack 6 by following the instructions at <https://www.ibm.com/docs/en/cloud-paks/cp-management/2.3.x?topic=installation-upgrade&gt;

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmcloud_pak_for_multicloud_managementMatch2.3
VendorProductVersionCPE
ibmcloud_pak_for_multicloud_management2.3cpe:2.3:a:ibm:cloud_pak_for_multicloud_management:2.3:*:*:*:*:*:*:*

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.972

Percentile

99.8%