Lucene search

IBMF243281320AFD7E2710EDC7B3D2DE73901C6546A063CD6DB1074893EA50F7F8E

HistoryMay 05, 2022 - 4:59 p.m.

Security Bulletin: API Connect V10 is vulnerable to a remote code execution in Spring Framework (CVE-2022-22965)

2022-05-0516:59:52

www.ibm.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%

JSON

Summary

IBM API Connect V10 is vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it meets all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. This Spring vulnerability only exists, if clients installed the optional API Connect V10 Application Test and Monitor function. The fix includes Spring-boot 2.6.6, Spring-core 5.3.18 and Spring-framework 5.3.18.

Vulnerability Details

CVEID:CVE-2022-22965
**DESCRIPTION:**Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux. Note: This vulnerability is also known as Spring4Shell or SpringShell.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223103 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

API Connect	API Connect V10.0.0.0 - V10.0.1.1

Remediation/Fixes

Affected Product	Addressed in VRMF	APAR	Remediation/First Fix

IBM API Connect

V10.0.0.0-V10.0.1.1

| 10.0.1.<X>| | Please see links to various resources for a quick ref.

10.0.1.6-ifix1
Release Announce notes: <https://www.ibm.com/support/pages/node/6571315>
IBM Docs: <https://www.ibm.com/docs/en/api-connect/10.0.1.x?topic=aco-whats-new-in-latest-release-version-10016-ifix1-eus>
Fix Central: https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=10.0.1.6&platform=All&function=all

10.0.4.0-ifix3
Release Announce notes: <https://www.ibm.com/support/pages/node/6571313>
IBM Docs: <https://www.ibm.com/docs/en/api-connect/10.0.x?topic=aco-whats-new-in-latest-release-version-10040-ifix3>
Fix Central: https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=10.0.4.0&platform=All&function=all (Filter fix details: 10.0.4.0-ifix3 )

| | |
| | |

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm api connecteq10

CPE	Name	Operator	Version
	ibm api connect	eq	10

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%

JSON

Related for F243281320AFD7E2710EDC7B3D2DE73901C6546A063CD6DB1074893EA50F7F8E