CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
60.3%
Watson Machine Learning Accelerator is affected but not classified as vulnerable to a remote code execution in Spring Framework (CVE-2022-22971) as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR (in contrast to a Spring Boot executable jar), 4. Spring-webmvc or spring-webflux dependency, 5. Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions. WMLA uses spring framework to manage java application’s dependency injection, events, resources, i18n, validation, data binding, type conversion, SpEL, AOP. The fix includes Spring 5.3.20.
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Product(s) | Version(s) |
---|---|
Watson Machine Learning Accelerator on Cloud Pak for Data | 2.2.x; 2.3.x |
1. For Watson Machine Learning Accelerator version 2.2.x
To address the affected version, upgrade to IBM Watson Machine Learning Accelerator 2.2.5 by following the document <https://www.ibm.com/docs/en/cloud-paks/cp-data/3.5.0?topic=accelerator-upgrading-watson-machine-learning>
2. For Watson Machine Learning Accelerator version 2.3.x
To address the affected version, upgrade to IBM Watson Machine Learning Accelerator 2.3.5 by following the document <https://www.ibm.com/docs/en/wmla/2.3?topic=installation-install-upgrade>
Then follow <https://ibmdocs-test.mybluemix.net/docs/en/cloud-paks/cp-data/4.5.x?topic=accelerator-upgrading> to upgrade from WMLA 2.3.5 to WMLA 2.4.0
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | ibm_watson_machine_learning_accelerator | 2.2. | cpe:2.3:a:ibm:ibm_watson_machine_learning_accelerator:2.2.:*:*:*:*:*:*:* |
ibm | ibm_watson_machine_learning_accelerator | 2.3. | cpe:2.3:a:ibm:ibm_watson_machine_learning_accelerator:2.3.:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
60.3%