Lucene search

IBM8AC2B8BF18DFE033F865ED53A61B3DBEB5E0DF21D0F1634B030AAECB5AAD0C73

HistoryOct 04, 2023 - 10:44 a.m.

Security Bulletin: There are several vulnerabilities in Apache Batik used by IBM Jazz Reporting Service (CVE-2022-40146, CVE-2022-38648, CVE-2022-38398)

2023-10-0410:44:16

www.ibm.com

apache batik

ibm jazz reporting service

ssrf

cve-2022-40146

cve-2022-38648

cve-2022-38398

upgraded version

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.003 Low

EPSS

Percentile

69.4%

JSON

Summary

There are several vulnerabilities in Apache Batik used by IBM Jazz Reporting Service(JRS). This vulnerabiliity is addressed in JRS by upgrading to a version of Apache Batik that resolves the issue.

Vulnerability Details

CVEID:CVE-2022-40146
**DESCRIPTION:**Apache Batik is vulnerable to server-side request forgery, caused by a flaw in the DefaultScriptSecurity function. By sending a specially-crafted request, an attacker could exploit this vulnerability to conduct SSRF attack to access files using a Jar url.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236847 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-38648
**DESCRIPTION:**Apache Batik is vulnerable to server-side request forgery, caused by a flaw when calling the fop function. By sending a specially-crafted request, an attacker could exploit this vulnerability to conduct SSRF attack to fetch external resources.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236846 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2022-38398
**DESCRIPTION:**Apache Batik is vulnerable to server-side request forgery, caused by a flaw in the DefaultExternalResourceSecurity function. By sending a specially-crafted request, an attacker could exploit this vulnerability to conduct SSRF attack to load a url thru the jar protocol.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236845 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Jazz Reporting Service	7.0.2
IBM Jazz Reporting Service	7.0.1

Remediation/Fixes

The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central and apply for each affected product as soon as possible.
Released a iFix version for Jazz Reporting Service 7.0.2 iFix021: To ensure users could protect themselves from this vulnerability, the upgraded version of Apache Batik-bridge has been released in this ifix.

Product	Version	iFix	Remediation / First Fix
IBM Jazz Reporting Service	7.0.2	iFix021	Fix Central - 7.0.2

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmibm_engineering_lifecycle_management_baseMatch7.0.2

CPENameOperatorVersion
ibm engineering lifecycle management baseeq7.0.2

CPE	Name	Operator	Version
	ibm engineering lifecycle management base	eq	7.0.2

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.003 Low

EPSS

Percentile

69.4%

JSON

Related for 8AC2B8BF18DFE033F865ED53A61B3DBEB5E0DF21D0F1634B030AAECB5AAD0C73