Security Bulletin: IBM Cloud Pak for Data Affected by Malicious File Upload Vulnerability (CVE-2022-36769)

Summary

IBM Cloud Pak for Data could allow a privileged user to upload malicious files of dangerous types that can be automatically processed within the product’s. This vulnerability has been addressed.

Vulnerability Details

CVEID:CVE-2022-36769
**DESCRIPTION:**IBM Cloud Pak for Data could allow a privileged user to upload malicious files of dangerous types that can be automatically processed within the product’s environment.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/232034 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

Install IBM Cloud Pak for Data 4.6.4 or higher

IBM Cloud Pak for Data 4.6.4 and above limits or restricts JDBC drivers uploads to certain set of users. For instance, admin user or user with “Administrator” role can upload JDBC drivers. An administrator role has “Administer platform” permissions. This permission is required to upload JDBC drivers. Additionally, users with “Platform administration” role will be able to upload JDBC drivers. Platform administration role has “Administer platform” and “Manage configurations” permissions. “Manage Configuration” permission is more granular. You can revoke this permission from users that do not require JDBC driver upload ability.

Additionally, IBM Cloud Pak for Data implemented new auditable messages that can be used to monitor and track JDBC driver upload activities.

Workarounds and Mitigations

None.