IBME42F8DE28D5CD46153BB66137228594CB3EB80B835A9318F0A160B0CE1CC47FFSecurity Bulletin: IBM Java SDK update forJava deserialization filters (JEP 290) ignored during IBM ORB deserialization
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
78.0%
Summary
There are vulnerabilities in IBM® SDK Java™ Technology Edition, Versions 8** for Java deserialization filters (JEP 290) ignored during IBM ORB deserialization that are used by Rational Software Architect Designer and Rational Software Architect Designer for Websphere Software. These issues were disclosed as part of the IBM Java SDK updates
Vulnerability Details
CVEID:CVE-2022-40609
**DESCRIPTION:**IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 236069.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236069 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| RSA | 9.6 |
| RSA | 9.7 |
Remediation/Fixes
Update the IBM SDK, Java Technology Edition of the product to address this vulnerability:
| Product | VRMF | Remediation/First Fix |
|---|---|---|
| Rational Software Architect Designer (RSAD) |
9.7 to 9.7.0.3 ,9.7.1 and 9.7.1.1
9.6 to 9.6.1.4
| IBM Java SDK/JRE 8 SR8 FP5 IFixes
Rational Software Architect Designer for WebSphere Software (RSAD4WS)|
9.7 to 9.7.0.3 ,9.7.1 and 9.7.1.1
9.6 to 9.6.1.4
| IBM Java SDK/JRE 8 SR8 FP5 IFixes
Installation Instructions:
For instructions on installing this update using Installation Manager, review the topic Updating Installed Product Packages in the IBM Knowledge Center.
Instructions to download and install the update from the compressed files:
-
Download the update files from Fix Central by following the link listed in the download table above
-
Extract the compressed files in an appropriate directory.
For example, choose to extract to C:\temp\update
-
Start IBM Installation Manager.
-
On the Start page of Installation Manager, click File > Preferences, and then clickRepositories. The Repositories page opens.
-
On the Repositories page, click Add Repository.
-
In the Add repository window, browse to or enter the file path to the repository.config file, which is located in the directory where you extracted the compressed files and then click OK.
For example, enter C:\temp\update\repository.config.
-
Click OK to close the Preference page.
-
Install the update as described in the the topic Updating Installed Product Packages in the IBM Knowledge Center for your product and version.
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | rational_software_architect_designer | 9.5 | cpe:2.3:a:ibm:rational_software_architect_designer:9.5:*:*:*:*:*:*:* |
| ibm | rational_software_architect_designer | 9.6 | cpe:2.3:a:ibm:rational_software_architect_designer:9.6:*:*:*:*:*:*:* |
| ibm | rational_software_architect_designer | 9.7 | cpe:2.3:a:ibm:rational_software_architect_designer:9.7:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
78.0%