Lucene search
IBMA5071A393EC8AD3C59E3517F73FC772A20B64DEA633B4642419E72984892F891HistoryJan 09, 2023 - 4:57 p.m.
Security Bulletin: Code injection vulnerability affect IBM Business Automation Workflow (CVE-2022-42920)
2023-01-0916:57:44
www.ibm.com
72
ibm business automation workflow
code injection
vulnerability
apache commons bcel
remote attacker
security restrictions
out-of-bounds write flaw
cvss base score 9.8
cve-2022-42920
interim fix
cumulative fix
apar dt174250
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.019 Low
EPSS
Percentile
88.8%
Summary
IBM Business Automation Workflow packages Apache Commons BCEL. A code injection vulnerability affecting BCEL was reported. (CVE-2022-42920)
Vulnerability Details
CVEID:CVE-2022-42920
**DESCRIPTION:**Apache Commons BCEL could allow a remote attacker to bypass security restrictions, caused by an out-of-bounds write flaw in the APIs. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain control over the resulting bytecode than otherwise expected.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239562 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) | Status |
|---|---|---|
| IBM Business Automation Workflow containers | V22.0.2 | not affected |
| IBM Business Automation Workflow containers | V22.0.1 - V22.0.1-IF005 | |
| V21.0.3 - V21.0.3-IF015 | ||
| V21.0.2 all fixes | ||
| V20.0.0.2 all fixes | ||
| V20.0.0.1 all fixes | affected | |
| IBM Business Automation Workflow traditional | V22.0.2 | not affected |
| IBM Business Automation Workflow traditional | V22.0.1 | |
| V21.0.1 - V21.0.3.1 | ||
| V20.0.0.1 - V20.0.0.2 | ||
| V19.0.0.1 - V19.0.0.3 | affected |
For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT174250 as soon as practical.
| Affected Product(s) | Version(s) | Remediation / Fix |
|---|---|---|
| IBM Business Automation Workflow containers | V22.0.1 | Apply 22.0.1-IFT006 |
| IBM Business Automation Workflow containers | V21.0.3 | Apply 21.0.3-IF016 |
| or upgrade to 22.0.1-IFT006 or later | ||
| IBM Business Automation Workflow containers | V21.0.2 | |
| V20.0.0.1 - V20.0.0.2 | Upgrade to 21.0.3-IF016 | |
| or upgrade to 22.0.1-IFT006 or later | ||
| IBM Business Automation Workflow traditional | V22.0.1 | Apply DT174250 |
| IBM Business Automation Workflow traditional | V21.0.3 | Apply DT174250 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT174250 | ||
| IBM Business Automation Workflow traditional | V21.0.2 | Upgrade to IBM Business Automation Workflow 21.0.3.1 and apply DT174250 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT174250 | ||
| IBM Business Automation Workflow traditional | V20.0.0.2 | Apply DT174250 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT174250 | ||
| IBM Business Automation Workflow traditional | V20.0.0.1 | Upgrade to IBM Business Automation Workflow v20.0.0.2 and apply DT174250 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT174250 | ||
| IBM Business Automation Workflow traditional | V19.0.0.3 | Apply DT174250 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT174250 | ||
| IBM Business Automation Workflow traditional | V19.0.0.1 - V19.0.0.2 | Upgrade to IBM Business Automation Workflow 19.0.0.3 and apply DT174250 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT174250 |
Workarounds and Mitigations
None
Affected configurations
Node
ibmbusiness_automation_workflowMatch18.0.0.0
ORibmbusiness_automation_workflowMatch18.0.0.1
ORibmbusiness_automation_workflowMatch18.0.0.2
ORibmbusiness_automation_workflowMatch19.0.0.1
ORibmbusiness_automation_workflowMatch19.0.0.2
ORibmbusiness_automation_workflowMatch19.0.0.3
ORibmbusiness_automation_workflowMatch20.0.0.1
ORibmbusiness_automation_workflowMatch20.0.0.2
ORibmbusiness_automation_workflowMatch21.0.2
ORibmbusiness_automation_workflowMatch21.0.3
ORibmbusiness_automation_workflowMatch22.0.1
ORibmbusiness_automation_workflowMatch22.0.2
Related
nessus
nessus
RHEL 7 : rh-maven36-bcel (RHSA-2022:8959)
2022-12-13 00:00:00
Fedora 36 : bcel (2022-0e358addb8)
2022-12-23 00:00:00
RHEL 9 : bcel (RHSA-2023:0005)
2023-01-02 00:00:00
osv
osv
CVE-2022-42920
2022-11-07 13:15:10
Important: bcel security update
2023-01-02 06:07:03
Important: bcel security update
2023-01-02 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for bcel (EulerOS-SA-2023-2137)
2023-06-09 00:00:00
Fedora: Security Advisory for bcel (FEDORA-2022-01a56f581c)
2022-12-11 00:00:00
CentOS: Security Advisory for bcel (CESA-2022:8958)
2023-07-30 00:00:00
fedora
fedora
[SECURITY] Fedora 36 Update: bcel-6.4.1-10.fc36
2022-12-11 01:40:33
[SECURITY] Fedora 37 Update: bcel-6.5.0-3.fc37
2022-12-11 01:27:15
[SECURITY] Fedora 35 Update: bcel-6.4.1-10.fc35
2022-12-11 01:47:38
rocky
rocky
bcel security update
2023-01-02 06:07:03
cvelist
cvelist
nvd
nvd
CVE-2022-42920
2022-11-07 13:15:10
centos
centos
bcel security update
2023-07-27 14:36:35
ubuntucve
ubuntucve
CVE-2022-42920
2022-11-07 00:00:00
redhat
redhat
(RHSA-2022:8959) Important: rh-maven36-bcel security update
2022-12-13 13:52:59
(RHSA-2023:0005) Important: bcel security update
2023-01-02 06:07:03
(RHSA-2023:0004) Important: bcel security update
2023-01-02 06:06:57
oraclelinux
oraclelinux
bcel security update
2022-12-14 00:00:00
bcel security update
2023-01-03 00:00:00
amazon
amazon
Important: bcel
2023-01-18 20:56:00
Important: bcel
2023-01-18 00:17:00
ibm
ibm
Security Bulletin: There is a vulnerability in Apache Commons BCEL used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-42920)
2023-03-10 20:35:24
debiancve
debiancve
CVE-2022-42920
2022-11-07 13:15:10
cve
cve
CVE-2022-42920
2022-11-07 13:15:10
veracode
veracode
Out-of-bound Write
2022-11-08 07:11:00
almalinux
almalinux
Important: bcel security update
2023-01-02 00:00:00
redhatcve
redhatcve
CVE-2022-42920
2022-11-15 01:55:59
prion
prion
Out-of-bounds
2022-11-07 13:15:00
github
github
Apache Commons BCEL vulnerable to out-of-bounds write
2022-11-07 19:00:22
gentoo
gentoo
Apache Commons BCEL: Remote Code Execution
2024-05-05 00:00:00
OpenJDK: Multiple Vulnerabilities
2024-01-17 00:00:00
hp
hp
Apache Text4Shell and others update for Teradici Cloud Access Connector
2022-12-15 00:00:00
qualysblog
qualysblog
Oracle Patch Update, April 2024 Security Update Review
2024-04-17 14:39:59
Oracle Patch Update, January 2024 Security Update Review
2024-01-17 15:29:33
Oracle Patch Tuesday, October 2023 Security Update Review
2023-10-18 17:11:20
oracle
oracle
Oracle Critical Patch Update Advisory - January 2024
2024-01-16 00:00:00
Oracle Critical Patch Update Advisory - October 2023
2023-10-17 00:00:00
Oracle Critical Patch Update Advisory - January 2023
2023-01-17 00:00:00
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.019 Low
EPSS
Percentile
88.8%
Related for A5071A393EC8AD3C59E3517F73FC772A20B64DEA633B4642419E72984892F891