9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
Is Sterling Order Management affected by Spring vulnerability CVE-2022-22965?
IBM is aware of a recently surfaced vulnerability CVE-2022-22965 and has evaluated whether any Sterling Order Management applications are affected. The following is a summary of our evaluation:
Component |
Spring
version
used
| Impacted by
CVE-2022-22965 |
Immediate
Mitigation
Plan
| Latest Status
â|â|â|â|â
Sterling Order Management SaaS, On-prem and Certified Containers (including Store Engagement & Call Center) | Not used | No | N/A | Not vulnerable
Inventory Visibility
Microservice
| Not used | No | N/A | Not vulnerable
Intelligent Promising
Microservice
| Not used | No | N/A | Not vulnerable
OMS Data Exchange Service | Not used | No | N/A | Not vulnerable
Store Inventory Management
Microservice
| Not used | No | N/A | Not vulnerable
Order Hub | Not used | No | N/A | Not vulnerable
Sterling Fulfillment Optimizer | Not used | No | N/A | Not vulnerable
Configure, Price, Quote (CPQ): Omni-Configurator and Visual Modeler | Not used | No | N/A | Not vulnerable
Configure, Price, Quote (CPQ): Field Sales | Not used | No | N/A | Not vulnerable
Spring Framework RCE, Early Announcement - spring.io
CVE-2022-22965 - National Vulnerability Database
CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+ - vmware.com
[{âTypeâ:âMASTERâ,âLine of Businessâ:{âcodeâ:âLOB59â,âlabelâ:âSustainability Softwareâ},âBusiness Unitâ:{âcodeâ:âBU059â,âlabelâ:âIBM Software w/o TPSâ},âProductâ:{âcodeâ:âSS6PEWâ,âlabelâ:âSterling Order Managementâ},âARM Categoryâ:[{âcodeâ:âa8m0z000000cy00AAAâ,âlabelâ:âOrdersâ}],âPlatformâ:[{âcodeâ:âPF025â,âlabelâ:âPlatform Independentâ}],âVersionâ:âAll Versionsâ}]
CPE | Name | Operator | Version |
---|---|---|---|
sterling order management | eq | any |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%