Product Updates & Security Announcements

CVEID 

Published 

Severity 

Description 

Products affected 

Remediation 

APAR list 

CVE-2022-42889 

10-Feb 

Critical 

There is a vulnerability in Apache Commons Text that could allow a remote attacker to execute arbitrary code on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. 

IBM Process Mining 1.13.1 

Upgrade to version 1.13.2 
1.Login to PassPortAdvantage 
2. Search for M09PSML Process Mining 1.13.2 Server Multiplatform Multilingual 
3. Download package 
4. Follow install instructions 
5. Repeat for M09PTML Process Mining 1.13.2 Client Windows Multilingual 

CVE-2022-43680 

10-Feb 

Critical 

Multiple vulnerabilities in the Expat library affect IBM® Db2® Net Search Extender may lead to denial of service or arbitrary code execution. These vulnerabilities have been addressed. 

IBM DB2 V9.7, 10.1, 10.5, 11.1 

Customers running any vulnerable fixpack level of an affected Program, V9.7, V10.1, V10.5, and v11.1, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release: V9.7 FP11, V10.1 FP6, V10.5 FP11, and V11.1.4 FP7. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability. 

CVE-2022-43930 

10-Feb 

Critical 

IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930) 

Db2 for Linux, UNIX and Windows 

Customers running any vulnerable fixpack level of an affected Program,  V10.5, v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release:  V10.5 FP11, V11.1.4 FP7, and V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability. 

CVE-2022-25887 

10-Feb 

Critical 

 Node.js sanitize-html module is vulnerable to a denial of service, caused by insecure global regular expression replacement logic of HTML comment removal. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a Regular Expression Denial of Service (ReDoS). 

IBM Business Automation Workflow traditional 

Apply DT178158 

DT178158 

CVE-2023-23477 

10-Feb 

Critical 

WebSphere Application Server is shipped as a component of IBM Business Automation Workflow. Information about a security vulnerability affecting IBM WebSphere Application Server Traditional have been published in a security bulletin. 

IBM Business Automation Workflow traditional 8.5 and 9.0 

Apply fixpack 9.0.5.8 or 8.5.5.20 

CVE-2022-21628 

10-Feb 

Critical 

Multiple Vulnerabilities were disclosed as part of the Oracle October 2022 Critical Patch Update. 

ICC for SAP v4.0 

Use IBM Content Collector for SAP Applications4.0.0.2-ICCSAP-FP2-JRE-8.0.7.20 
Use IBM Content Collector for SAP Applications4.0.0.3-ICCSAP-Base-JRE-8.0.7.20 
Use IBM Content Collector for SAP Applications4.0.0.4-ICCSAP-Base-JRE-8.0.7.20 

CVE-2022-37734  

23-Jan  

High  

Vulnerability has been identified in WebSphere Application Server Liberty shipped with Cloud Pak System. Information about vulnerability has been published in security bulletin.  

IBM Cloud Pak System Software Suite 2.3.3.0  
IBM Cloud Pak System 2.3  
IBM WebSphere Application Server Liberty 17.0.0.3-22.0.0.11  

Apply Interim Fix PH49719  

PH49719.  

CVE-2022-21496  

23-Jan  

High  

Multiple Java SE related vulnerabilities  

FileNet Content Manager 5.5.4.0, 5.5.7.0, 5.5.8.0, 5.5.9.0  

Apply Patches depending on your version of FileNet Content Manager  

CVE-2022-21626  

23-Jan  

Medium  

A vulnerability exists in IBM® Runtime Environment Java™ Versions 8, which is used by the desktop version of IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow. IBM Process Designer has addressed the applicable CVE.  

IBM Business Automation Workflow 19.0.0.3 – 22.0.1  

Install Interim Fix for your BAW version  

CVE-2022-42003  

20-Jan  

Medium  

FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in the primitive value deserializers when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. By sending a specially-crafted request using deep wrapper array nesting, a local attacker could exploit this vulnerability to exhaust all available resources.  

BAW V22.0.1 and IF004  
BAW V21.0.3 and IF014  
V21.0.2, V20.0.0.2, V20.0.0.1  

Install Interim Fix for your BAW version  

DT169189  

CVE-2022-42004  

19-Jan  

Medium  

  FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in the primitive value deserializers when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. By sending a specially-crafted request using deep wrapper array nesting, a local attacker could exploit this vulnerability to exhaust all available resources.  

V22.0.1 – V22.0.1-IF004  
V21.0.3 – V21.0.3-IF014  
V21.0.2 all fixes  
V20.0.0.2 all fixes  
V20.0.0.1 all fixes  

Install Interim Fix for your BAW version  

DT169189  

CVE-2022-48195, CVE-2022-29577, CVE-2022-28367, CVE-2015-6420  

19-Jan  

Medium  

Mellium mellium.im/sasl could provide weaker than expected security, caused by a flaw when performing SCRAM-based SASL authentication. An attacker could exploit this vulnerability to cause insufficient randomness being used during authentication.  

CloudPak for Security 1.10.0.0 – 1.10.7.0  

Upgrade CP4S to at least 1.10.8.0  

CVE-2022-3517  

19-Jan  

High  

minimatch is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the braceExpand function. By sending specially-crafted regex arguments, a remote attacker could exploit this vulnerability to cause a denial of service condition.  

IBM Process Mining 1.13.1  

Upgrade to version 1.13.2