Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMAAB7546D55535C212124ACA05CA15A342B7367AA96D7ECCEEBB3F4E25B01CBF8
HistoryMar 03, 2023 - 8:42 p.m.

Security Bulletin: Multiple Vulnerabilities in Json4j Affects Watson Machine Learning Accelerator

2023-03-0320:42:40
www.ibm.com
48
watson machine learning accelerator
json4j cves
version upgrade
security bulletin
cloud pak for data

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.01

Percentile

84.1%

JSON

Summary

Watson Machine Learning Accelerator is affected by multiple json4j CVEs (CVE-2022-23529, CVE-2022-23539, CVE-2022-23540, CVE-2022-23541, CVE-2022-45690, CVE-2022-46175, CVE-2022-4742). We fixed by removing json4j.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s) Version(s)
Watson Machine Learning Accelerator on Cloud Pak for Data All

Remediation/Fixes

Watson Machine Learning Accelerator version 3.1.0 and above fixed json4j CVEs by replacing json4j.

1. For Watson Machine Learning Accelerator version 2.4.x, 2.5.0, 2.6.0, 3.0.0

Follow <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=accelerator-upgrading&gt; to upgrade from WMLA 2.4.x/2.5.0/2.6.0/3.0.0 to WMLA 3.1.0 or above version.

2. For Watson Machine Learning Accelerator version 2.3.x

To address the affected version, first upgrade to IBM Watson Machine Learning Accelerator 2.3.5 by following the document <https://www.ibm.com/docs/en/wmla/2.3?topic=installation-install-upgrade&gt;
Then upgrade from WMLA 2.3.5 to WMLA 3.1.0 or above version following <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=accelerator-upgrading&gt;

3. For Watson Machine Learning Accelerator version 2.2.x

To address the affected version

a. upgrade to IBM Watson Machine Learning Accelerator 2.2.6 by following the document <https://www.ibm.com/docs/en/cloud-paks/cp-data/3.5.0?topic=accelerator-upgrading-watson-machine-learning&gt;

b. upgrade from IBM Watson Machine Learning Accelerator 2.2.6 to IBM Watson Machine Learning Accelerator 2.3.1 following <https://www.ibm.com/docs/en/wmla/2.3?topic=installation-install-upgrade&gt;

c. upgrade all the way to IBM Watson Machine Learning Accelerator 2.3.5 following <https://www.ibm.com/docs/en/wmla/2.3?topic=installation-install-upgrade&gt;

d. upgrade from WMLA 2.3.5 to WMLA 3.1.0 or above version following <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=accelerator-upgrading&gt;

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmwatson_machine_learning_on_cloud_pak_for_dataMatchany
VendorProductVersionCPE
ibmwatson_machine_learning_on_cloud_pak_for_dataanycpe:2.3:a:ibm:watson_machine_learning_on_cloud_pak_for_data:any:*:*:*:*:*:*:*

Related

ibm 34
vulnrichment 2
veracode 7
osv 16
cvelist 7
prion 6
nvd 7
gitlab 1
github 9
cve 7
redhatcve 6
githubexploit 4
debiancve 1
nessus 14
debian 1
openvas 3
fedora 1
ubuntu 1
ubuntucve 1
cbl_mariner 1
thn 1
hivepro 1
redhat 12
oracle 1
ibm
ibm
Security Bulletin: Maximo Application Suite uses jsonwebtoken package which is vulnerable to CVE-2022-23541, CVE-2022-23539, CVE-2022-23529 and CVE-2022-23540
2023-03-27 20:08:12
Security Bulletin: IBM Event Streams is affected by vulnerabilities in the jsonwebtoken package (CVE-2022-23529, CVE-2022-23539, CVE-2022-23540, CVE-2022-23541)
2023-04-04 07:11:29
Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to multiple jsonwebtoken CVEs
2023-01-30 10:40:47
vulnrichment
vulnrichment
CVE-2022-23541 jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
2022-12-22 17:52:22
CVE-2022-23540 jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()
2022-12-22 18:02:24
veracode
veracode
Unrestricted Key Type
2022-12-23 07:07:33
Incorrect Verification Of Tokens
2022-12-23 06:16:20
Denial Of Service (DoS)
2022-12-15 03:36:16
osv
osv
CVE-2022-23540
2022-12-22 19:15:08
hutool-json stack overflow vulnerability
2022-12-13 15:30:26
CVE-2022-45690
2022-12-13 15:15:11
cvelist
cvelist
CVE-2022-23540 jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()
2022-12-22 18:02:24
CVE-2022-23541 jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
2022-12-22 17:52:22
CVE-2022-45690
2022-12-13 00:00:00
prion
prion
Design/Logic Flaw
2022-12-22 18:15:00
Stack overflow
2022-12-13 15:15:00
Type confusion
2022-12-23 00:15:00
nvd
nvd
CVE-2022-23540
2022-12-22 19:15:08
CVE-2022-23539
2022-12-23 00:15:12
CVE-2022-23541
2022-12-22 18:15:09
gitlab
gitlab
hutool-json stack overflow vulnerability
2022-12-13 00:00:00
github
github
hutool-json stack overflow vulnerability
2022-12-13 15:30:26
jsonwebtoken unrestricted key type could lead to legacy keys usage
2022-12-22 03:32:22
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
2022-12-22 03:33:19
cve
cve
CVE-2022-23539
2022-12-23 00:15:12
CVE-2022-23541
2022-12-22 18:15:09
CVE-2022-45690
2022-12-13 15:15:11
redhatcve
redhatcve
CVE-2022-23540
2023-02-23 18:29:15
CVE-2022-23541
2023-02-23 18:59:15
CVE-2022-23539
2022-12-23 08:34:49
githubexploit
githubexploit
Exploit for Improper Verification of Cryptographic Signature in Auth0 Jsonwebtoken
2023-01-17 10:34:10
Exploit for Prototype Pollution in Json5
2023-01-11 12:48:17
Exploit for CVE-2022-23529
2023-01-16 02:35:54
debiancve
debiancve
CVE-2022-46175
2022-12-24 04:15:08
nessus
nessus
Fedora 37 : pgadmin4 (2023-e7297a4aeb)
2023-01-29 00:00:00
Debian DLA-3665-1 : node-json5 - LTS security update
2023-11-25 00:00:00
RHEL 8 : gjs (Unpatched Vulnerability)
2024-06-03 00:00:00
debian
debian
[SECURITY] [DLA 3665-1] node-json5 security update
2023-11-25 22:33:10
openvas
openvas
Ubuntu: Security Advisory (USN-6758-1)
2024-05-01 00:00:00
Fedora: Security Advisory for pgadmin4 (FEDORA-2023-e7297a4aeb)
2023-01-30 00:00:00
Debian: Security Advisory (DLA-3665-1)
2023-11-27 00:00:00
fedora
fedora
[SECURITY] Fedora 37 Update: pgadmin4-6.19-1.fc37
2023-01-30 01:27:10
ubuntu
ubuntu
JSON5 vulnerability
2024-04-30 00:00:00
ubuntucve
ubuntucve
CVE-2022-46175
2022-12-24 00:00:00
cbl_mariner
cbl_mariner
CVE-2022-46175 affecting package python-tensorboard for versions less than 2.16.2-2
2024-07-24 01:44:36
thn
thn
Severe Security Flaw Found in "jsonwebtoken" Library Used by 22,000+ Projects
2023-01-10 08:54:00
hivepro
hivepro
New Vulnerability Found in the JsonWebToken Open-Source Project
2023-01-10 12:11:46
redhat
redhat
(RHSA-2023:3265) Moderate: Red Hat OpenShift Data Foundation 4.12.3 Security and Bug fix update
2023-05-23 09:15:39
(RHSA-2023:3815) Important: Service Registry (container images) release and security update [2.4.3 GA]
2023-06-27 11:27:30
(RHSA-2023:0634) Moderate: Red Hat OpenShift (Logging Subsystem) security update
2023-02-09 13:59:38
oracle
oracle
Oracle Critical Patch Update Advisory - October 2023
2023-10-17 00:00:00

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.01

Percentile

84.1%

JSON
Related for AAB7546D55535C212124ACA05CA15A342B7367AA96D7ECCEEBB3F4E25B01CBF8
ibm34vulnrichment2veracode7osv16cvelist7prion6nvd7gitlab1github9cve7redhatcve6githubexploit4debiancve1nessus14debian1openvas3fedora1ubuntu1ubuntucve1cbl_mariner1thn1hivepro1redhat12oracle1