Critical Severity

Security Bulletin: IBM Cloud Pak for Business Automation is affected but not classified as vulnerable by a remote code execution in Spring Framework [CVE-2022-22965]

Share this post:

IBM Cloud Pak for Business Automation is affected but not classified as vulnerable to a remote code execution in Spring Framework as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Parts of the Spring framework is used in multiple components of Cloud Pak for Business Automation to perform transaction management, database access or processing of web request. The fix includes Spring V5.3.20 and later and removes Spring from some product components. [CVE-2022-22965]

CVE(s): CVE-2022-22965

Affected product(s) and affected version(s):

 

Affected Product(s) Version(s) Status
IBM Cloud Pak for Business Automation V22.0.1 – V22.0.1-IF001 affected
IBM Cloud Pak for Business Automation V21.0.3 – V21.0.3-IF011 affected
IBM Cloud Pak for Business Automation V21.0.2 – V21.0.2-IF012 and later fixes
V21.0.1 – V21.0.1-IF007 and later fixes
V20.0.1 – V20.0.3 and later fixes
V19.0.1 – V19.0.3 and later fixes
V18.0.0 – V18.0.2 and later fixes
affected

Refer to the following reference URLs for remediation and additional vulnerability details:  
Source Bulletin: https://www.ibm.com/support/pages/node/6826635
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/223103

More stories

Security Bulletin: Apache Commons Text and Apache Commons Configuration vulnerabilities affects IBM Operations Analytics Predictive Insights [CVE-2022-42889, CVE-2022-33980]

November 28, 2022 | Critical Severity

Apache Commons Text and Apache Commons Configuration vulnerabilities affects IBM Operations Analytics Predictive Insights [CVE-2022-42889, CVE-2022-33980]. Apache Commons Text and Apache Commons Configuration is used by IBM Operations Analytics Predictive Insight REST Mediation Service, part of data ingestion. The vulnerabilities have been addressed. ...read more


Security Bulletin: IBM Sterling Connect:Direct for UNIX is vulnerable to remote code execution due to Apache Commons Text [CVE-2022-42889]

November 28, 2022 | Critical Severity

IBM Sterling Connect:Direct for UNIX components Install Agent and File Agent are vulnerable to remote code execution due to Apache Commons Text [CVE-2022-42889]. Apache Commons Text has been upgraded to version 1.10.0 in IBM Sterling Connect:Direct for UNIX Install Agent and File Agent. ...read more


Security Bulletin: IBM UrbanCode Deploy (UCD) Agents on zOS are vulnerable to an arbitrary code execution due to use of Apache Commons Text [CVE-2022-42889]

November 28, 2022 | Critical Severity

The zos toolkit installed with agents on zOS includes Apache Commons Text which could allow an attacker to execute arbitrary code on the system, caused by an insecure interpolation defaults flaw. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. [CVE-2022-42889] ...read more