Lucene search

K
ibmIBMFC345CFDAF6B7A71B4BE4B7572967C23A04C41A497A855D10C71E09C23CF564F
HistoryNov 18, 2022 - 3:08 a.m.

Security Bulletin: Potential vulnerability in Apache Commons Configuration affect IBM Operations Analytics - Log Analysis (CVE-2022-33980)

2022-11-1803:08:22
www.ibm.com
28
apache commons configuration
ibm operations analytics
log analysis
cve-2022-33980
remote attacker
arbitrary code
system
upgrade
interim fix

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.215

Percentile

96.5%

Summary

Vulnerability in Apache Commons Configuration could allow remote attacker to execute arbitrary code on the system. This has been fixed.

Vulnerability Details

**CVEID:**CVE-2022-33980 DESCRIPTION: Apache Commons Configuration could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when using the interpolation defaults. By using a specially-crafted configuratrion, an attacker could exploit this vulnerability to execute arbitrary code or perform unintentional contact with remote servers .
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230563 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
Log Analysis 1.3.7.0
Log Analysis 1.3.7.1
Log Analysis 1.3.7.2

Remediation/Fixes

Version Fix details
IBM Operations Analytics - Log Analysis version 1.3.7.0, 1.3.7.1, 1.3.7.2 Upgrade to Log Analysis version 1.3.7.2 Interim Fix 1. Download the 1.3.7.2-TIV-IOALA-IF001. For Log Analysis prior to 1.3.7.2, upgrade to 1.3.7-TIV-IOALA-FP2 before installing this fix.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsmartcloud_analytics_log_analysisMatch1.3.7.0
OR
ibmsmartcloud_analytics_log_analysisMatch1.3.7.1
OR
ibmsmartcloud_analytics_log_analysisMatch1.3.7.2
VendorProductVersionCPE
ibmsmartcloud_analytics_log_analysis1.3.7.0cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.7.0:*:*:*:*:*:*:*
ibmsmartcloud_analytics_log_analysis1.3.7.1cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.7.1:*:*:*:*:*:*:*
ibmsmartcloud_analytics_log_analysis1.3.7.2cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.7.2:*:*:*:*:*:*:*

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.215

Percentile

96.5%