Security Bulletin: junrar v7.4.0 and prior Denial of Service (DoS) security vulnerability in IBM FileNet Content Manager Content Search Services (CSS)

Summary

junrar v7.4.0 and prior Denial of Service (DoS) security vulnerability in IBM FileNet Content Manager Content Search Services (CSS). A carefully crafted RAR archive can trigger an infinite loop while parsing the file. This could be used to mount a denial of service attack against services that use junrar.

Vulnerability Details

CVEID:CVE-2022-23596
**DESCRIPTION:**Junrar is vulnerable to a denial of service, caused by an infinite loop when extracting RAR files. By persuading a victim to open a specially-crafted RAR file, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/218764 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

o resolve these vulnerabilities, install one of the patch sets listed below to upgrade junrar.

5.5.4

5.5.7
5.5.8

| PJ46715
PJ46715
PJ46715| 5.5.4.0-P8CSS-IF008 - 5/24/2022
5.5.7.0-P8CSS-IF003 - 6/29/2022
5.5.8.0-P8CSS-IF001 - 3/22/2022

In the above table, the APAR links will provide more information about the fix.

Workarounds and Mitigations

Disable indexing of RAR files