IBM0C2B45E28CF83BD79C828B23109B9453CD5A2E01B9A4065A4FE0C550F9D34AD4Security Bulletin: Potential vulnerability in Apache Calcite Avatica affects IBM Operations Analytics - Log Analysis (CVE-2022-36364)
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
51.7%
Summary
Prior to version 1.22.0 vulnerability in Apache Calcite Avatica allow a remote attacker to execute arbitrary code on the system. This has been fixed.
Vulnerability Details
CVEID:CVE-2022-36364
**DESCRIPTION:**Apache Calcite Avatica could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the JDBC driver. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/232360 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| Log Analysis | 1.3.5.3 |
| Log Analysis | 1.3.6.0 |
| Log Analysis | 1.3.6.1 |
| Log Analysis | 1.3.7.0 |
| Log Analysis | 1.3.7.1 |
| Log Analysis | 1.3.7.2 |
Remediation/Fixes
| Version | Fix details |
|---|---|
| IBM Operations Analytics - Log Analysis version 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0, 1.3.7.1, 1.3.7.2 | Upgrade to Log Analysis version 1.3.7.2 Interim Fix 1. Download the 1.3.7.2-TIV-IOALA-IF001. For Log Analysis prior to 1.3.7.2, upgrade to 1.3.7-TIV-IOALA-FP2 before installing this fix. |
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | smartcloud_analytics_log_analysis | 1.3.5.3 | cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.5.3:*:*:*:*:*:*:* |
| ibm | smartcloud_analytics_log_analysis | 1.3.6.0 | cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.6.0:*:*:*:*:*:*:* |
| ibm | smartcloud_analytics_log_analysis | 1.3.6.1 | cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.6.1:*:*:*:*:*:*:* |
| ibm | smartcloud_analytics_log_analysis | 1.3.7.0 | cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.7.0:*:*:*:*:*:*:* |
| ibm | smartcloud_analytics_log_analysis | 1.3.7.1 | cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.7.1:*:*:*:*:*:*:* |
| ibm | smartcloud_analytics_log_analysis | 1.3.7.2 | cpe:2.3:a:ibm:smartcloud_analytics_log_analysis:1.3.7.2:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
51.7%