Lucene search

K
ibmIBMF65A53960215D7A6B10E3EDBAF16DDE9E3AA563F5E9427FA05CEFCC6F8CF7B6F
HistoryDec 30, 2022 - 3:09 p.m.

Security Bulletin: Vulnerabilities in Java and WLP affects IBM Cloud Application Business Insights

2022-12-3015:09:22
www.ibm.com
23
ibm cloud application business insights
vulnerabilities
java
wlp
xml injection
java se
icabi fixpacks

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

EPSS

0.004

Percentile

72.1%

Summary

Vulnerabilities in Java and WLP affects IBM Cloud Application Business Insights

Vulnerability Details

CVEID:CVE-2021-20492
**DESCRIPTION:**IBM WebSphere Application Server 8.0, 8.5, 9.0, and Liberty Java Batch is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 197793.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/197793 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L)

CVEID:CVE-2021-2161
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/200290 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud Application Business Insights 1.1.6
IBM Cloud Application Business Insights 1.1.5
IBM Cloud Application Business Insights 1.1.3
IBM Cloud Application Business Insights 1.1.4
IBM Cloud Application Business Insights 1.1.6
IBM Cloud Application Business Insights 1.1.5
IBM Cloud Application Business Insights 1.1.3
IBM Cloud Application Business Insights 1.1.4

Remediation/Fixes

The Vulnerabilities can be remediated by applying the ICABI FixPack 1.1.5.4 to all systems where IBM Cloud Application Business Insights version 1.1.5 is installed.

The Vulnerabilities can be remediated by applying the ICABI FixPack 1.1.6.3 to all systems where IBM Cloud Application Business Insights version 1.1.6 is installed.

The fixes can be found at the following location-

Download Description Download Link (Fix Central)
1.1.5.4 Fix Pack

https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Cloud+App+Management&fixids=ICABI_1.1.5.4.xml&source=SAR

1.1.6.3 Fix Pack| http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FIBM+Cloud+App+Management&fixids=ICABI_1.1.6.3.xml&source=SAR

**NOTE:**Only IBM Cloud Application Business Insights version 1.1.5 and later versions are supported. Upgrade your IBM Cloud Application Business Insights to its latest version to get access to all the latest features and fixes.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmengineering_insightsMatch1.1.5
OR
ibmengineering_insightsMatch1.1.6

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

EPSS

0.004

Percentile

72.1%