Security Bulletin: IBM InfoSphere Information Server is affected but not vulnerable to multiple vulnerabilities in Undertow

Summary

Multiple vulnerabilities in Undertow used by IBM InfoSphere Information Server were addressed.

Vulnerability Details

CVEID:CVE-2022-1259
**DESCRIPTION:**Undertow is vulnerable to a denial of service, caused by a potential security issue in flow control over HTTP/2. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235004 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-4492
**DESCRIPTION:**Undertow could provide weaker than expected security, caused by not checking the server identity the server certificate presents in HTTPS connections. An attacker could exploit this vulnerability to launch further attacks on the system
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248558 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-1108
**DESCRIPTION:**Undertow is vulnerable to a denial of service, caused by an infinite loop in SslConduit during close on JDK 11. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249912 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

Workarounds and Mitigations

None