IBM71D80495B32941467DDE2C9316F76774F69F6820797A74D71652653189E7FDB7Security Bulletin: Multiple vulnerabilities affect IBM Data Virtualization on Cloud Pak for Data
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.006 Low
EPSS
Percentile
78.7%
Summary
This bulletin addresses multiple vulnerabilities in Data Virtualization on IBM Cloud Pak for Data. Note that Data Virtualization is rebranded to Watson Query starting in IBM Cloud Pak for Data version 4.6.
Vulnerability Details
CVEID:CVE-2022-37598
**DESCRIPTION:**Node.js UglifyJS module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the DEFNODE function in ast.js. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238762 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-31129
**DESCRIPTION:**Moment is vulnerable to a denial of service, caused by inefficient regular expression complexity. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230690 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2021-42581
**DESCRIPTION:**Ramda could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution in the mapObjIndexed function. By supplying a specially-crafted object using the proto argument, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226072 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-3517
**DESCRIPTION:**minimatch is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the braceExpand function. By sending specially-crafted regex arguments, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238615 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-37620
**DESCRIPTION:**Node.js html-minifier module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the cleanAttributeValue function in htmlminifier.js. By sending specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239541 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2022-25758
**DESCRIPTION:**Node.js scss-tokenizer module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) vulnerability in the loadAnnotation() function. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230259 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2022-25901
**DESCRIPTION:**Node.js cookiejar module is vulnerable to a denial of service, caused by an insecure regular expression in the Cookie.parse function. A remote attacker could exploit this vulnerability to cause a regular expression denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/245045 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2021-42740
**DESCRIPTION:**Node.js shell-quote module could allow a remote attacker to execute arbitrary commands on the system, caused by a flaw with windows drive letter regex. By sending a specially-crafted shell metacharacters, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211858 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-25858
**DESCRIPTION:**Node.js terser module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By sending specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231377 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
**IBM X-Force ID:**228527
**DESCRIPTION:**Node.js mocha module is vulnerable to a denial of service, caused by a Regular Expression Denial of Service (ReDoS) in the clean function in utils.js. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228527 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | DV Version(s) | CPD Version(s) |
|---|---|---|
| IBM Data Virtualization(DV) on Cloud Pak for Data(CPD) | 1.7.1 - 1.7.3 | 4.0 Refresh 1 - 3 |
| IBM Data Virtualization(DV) on Cloud Pak for Data(CPD) | 1.7.3 | 4.0 Refresh 4 |
| IBM Data Virtualization(DV) on Cloud Pak for Data(CPD) | 1.7.5 - 1.7.7 | 4.0 Refresh 5 - 7 |
| IBM Data Virtualization(DV) on Cloud Pak for Data(CPD) | 1.7.7 | 4.0 Refresh 8 |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now.
| Affected Product(s) | DV Version(s) | CPD Version(s) | Fixes |
|---|---|---|---|
| IBM Data Virtualization(DV) on Cloud Pak for Data(CPD) | 1.7.1 - 1.7.3 | 4.0 Refresh 1 - 3 | Upgrade to version 1.8.0 or later Refresh (DV) / 4.5 (CPD) |
| IBM Data Virtualization(DV) on Cloud Pak for Data(CPD) | 1.7.3 | 4.0 Refresh 4 | Upgrade to version 1.8.0 or later Refresh (DV) / 4.5 (CPD) |
| IBM Data Virtualization(DV) on Cloud Pak for Data(CPD) | 1.7.5 - 1.7.7 | 4.0 Refresh 5 - 7 | Upgrade to version 1.8.0 or later Refresh (DV) / 4.5 (CPD) |
| IBM Data Virtualization(DV) on Cloud Pak for Data(CPD) | 1.7.7 | 4.0 Refresh 8 | Upgrade to version 1.8.0 or later Refresh (DV) / 4.5 (CPD) |
You must update the Cloud Pak for Data platform to version 4.5 or later to install the fix for Data Virtualization. Note that Data Virtualization was rebranded to Watson Query starting in version 4.6. IBM strongly recommends upgrading to the most recent release Data Virtualization on Cloud Pak for Data.
To upgrade the Cloud Pak for Data platform from version 4.0 to version 4.5 or 4.6, see the following documentation:
- Upgrading Data Virtualization from Version 4.0 to Version 4.5
- Upgrading Watson Query from Version 4.0 to Version 4.6
To upgrade the Cloud Pak for Data platform from version 4.5 to version 4.6, see the following documentation:
To upgrade the Cloud Pak for Data platform from version 4.6 to version 4.7, see the following documentation:
Workarounds and Mitigations
None
Affected configurations
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.006 Low
EPSS
Percentile
78.7%