Critical Severity

Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities including remote code execution in Apache Log4j 1.x

Share this post:

IBM Data Risk Manager (IDRM) 2.0.6.13, which is the only supported version, is impacted by multiple vulnerabilities including Apache Log4j 1.x (CVE-2019-17571, CVE-2022-23305, CVE-2022-23307, CVE-2022-23302, CVE-2021-4104, CVE-2020-9488, CVE-2020-9493) which was bundled within hadoop-client 3.3.2. The vulnerabilities have been addressed in the updated version of IDRM 2.0.6.14 which includes hadoop-client 3.3.3 and internally it packages latest Apache Log4j 2.x. Please see the remediation steps below to apply the fix. All customers are encouraged to act quickly to update their systems.

CVE(s): CVE-2022-1552, CVE-2022-22969, CVE-2022-21496 , CVE-2022-21434 , CVE-2022-21443 , CVE-2022-22971, CVE-2021-45346, CVE-2022-24785, CVE-2021-35561 , CVE-2022-0492, CVE-2022-22970, CVE-2022-29885, CVE-2022-25169, CVE-2022-22976, CVE-2022-21299 , CVE-2021-4028, CVE-2022-22968, CVE-2022-34305, CVE-2019-17571, CVE-2022-23305, CVE-2022-23307, CVE-2022-23302, CVE-2021-4104, CVE-2020-9488, CVE-2020-9493, IBM X-Force ID:   217968

Affected product(s) and affected version(s):

Affected Product(s) Version(s)
IBM DRM 2.0.6.13

Refer to the following reference URLs for remediation and additional vulnerability details:  
Source Bulletin: https://www.ibm.com/support/pages/node/6610084
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/226521
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/224974
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/224777
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/224718
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/224726
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/226492
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/219912
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/223451
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/211637
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/218777
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/226491
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/226170
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/226627
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/226733
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/217594
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/226067
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/224374
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/229596
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/173314
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/217461
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/217462
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/217460
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/215048
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/180824
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/203829

More stories

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in MS Visual Studio (CVE-2022-24765).

August 4, 2022 | Critical Severity

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to vulnerable to arbitrary code execution in MS Visual Studio, caused by an uncontrolled search for the Git directory in Git (CVE-2022-24765). Git for Visual Studio is used in the base operating system of IBM Watson Speech. Please read the details for remediation below. ...read more


Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a buffer overflow in Perl (CVE-2020-12723).

August 4, 2022 | Critical Severity

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a buffer overflow in Perl, caused by recursive S_study_chunk calls in regcomp.c (CVE-2020-12723). This could allow a remote attacker to overflow a buffer and execute arbitrary code on the system. Perl is included in some of the operators used in IBM Watson Speech. Please read the details for remediation below. ...read more


Security Bulletin: IBM Sterling B2B Integrator is affected by a remote code execution in Spring Framework (CVE-2022-22965)

August 3, 2022 | Critical Severity

IBM Sterling B2B Integrator is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. Spring Framework is used in the web application. Updated Spring library will be shipped in upcoming fix pack. ...read more