Lucene search

IBMB43B19786F65976E613C18EF94099EF53A58D928A37048D0C30EE70992018BC3

HistoryMar 17, 2023 - 7:28 p.m.

Security Bulletin: Vulnerabilites in Java SE affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments and IBM Spectrum Protect for Space Management (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619)

2023-03-1719:28:51

www.ibm.com

ibm spectrum protect

java se

denial of service

data manipulation

vulnerabilities

product versions

ibm recommendation

cve-2022-21628

cve-2022-21626

cve-2022-21624

cve-2022-21619

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.002

Percentile

59.5%

JSON

Summary

IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments (Data Protection for Microsoft Hyper-V and Data Protection for VMware), and IBM Spectrum Protect for Space Management can be affected by vulnerabilities in Java SE. Vulnerabilities include denial of service and update, insert or delete of data, as described by the CVEs in the “Vulnerability Details” section.

Vulnerability Details

CVEID:CVE-2022-21628
**DESCRIPTION:**Java SE is vulnerable to a denial of service, caused by a flaw in the Lightweight HTTP Server. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238623 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-21626
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238689 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-21624
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to update, insert or delete data resulting in a low integrity impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238699 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2022-21619
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to update, insert or delete data resulting in a low integrity impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238698 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Product	Versions
IBM Spectrum Protect Backup-Archive Client	8.1.0.0 - 8.1.17.0
IBM Spectrum Protect for Space Management	8.1.0.0 - 8.1.17.0
IBM Spectrum Protect for Virtual Environments: Data Protection for Microsoft Hyper-V	8.1.0.0 - 8.1.17.0
IBM Spectrum Protect for Virtual Environments: Data Protection for VMware	8.1.0.0 - 8.1.17.0

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product	Fixing level	Platforms	Link to fix and instructions
IBM Spectrum Protect Backup-Archive Client	8.1.17.2	AIX
HP-UX
Linux
Macintosh
Solaris
Windows	<https://www.ibm.com/support/pages/node/6832422>
IBM Spectrum Protect for Space Management	8.1.17.2	AIX
Linux	<https://www.ibm.com/support/pages/node/6833196>
IBM Spectrum Protect for Virtual Environments: Data Protection for Microsoft Hyper-V	8.1.17.2	Windows	<https://www.ibm.com/support/pages/node/6827869>
IBM Spectrum Protect for Virtual Environments: Data Protection for VMware	8.1.17.2	Linux
Windows	<https://www.ibm.com/support/pages/node/6827869>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmspectrum_protect_for_virtual_environmentsMatch8.1.

ibmspectrum_protect_for_space_managementMatch8.1.

ibmspectrum_protectMatch8.1.

VendorProductVersionCPE
ibmspectrum_protect_for_virtual_environments8.1.cpe:2.3:a:ibm:spectrum_protect_for_virtual_environments:8.1.:*:*:*:*:*:*:*
ibmspectrum_protect_for_space_management8.1.cpe:2.3:a:ibm:spectrum_protect_for_space_management:8.1.:*:*:*:*:*:*:*
ibmspectrum_protect8.1.cpe:2.3:a:ibm:spectrum_protect:8.1.:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	spectrum_protect_for_virtual_environments	8.1.	cpe:2.3:a:ibm:spectrum_protect_for_virtual_environments:8.1.:::::::*
ibm	spectrum_protect_for_space_management	8.1.	cpe:2.3:a:ibm:spectrum_protect_for_space_management:8.1.:::::::*
ibm	spectrum_protect	8.1.	cpe:2.3:a:ibm:spectrum_protect:8.1.:::::::*