Lucene search

IBMBFA4C81B5055BBA91E61D5C46CCD068FAC42B3D6AFF17FD091C379441B560C36

HistoryJan 19, 2023 - 11:52 a.m.

Security Bulletin: IBM Spectrum Conductor is vulnerable to arbitrary code execution [CVE-2022-42889]

2023-01-1911:52:46

www.ibm.com

ibm spectrum conductor

cve-2022-42889

apache commons text

arbitrary code execution

fix

vulnerability

apache commons text 1.10.0

remote attacker

cvss base score 9.8

insecure interpolation flaw

system

products

versions

remediation

ibm spectrum conductor 2.4.1

2.5.0

2.5.1

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.971

Percentile

99.8%

JSON

Summary

Apache Commons Text is used by IBM Spectrum Conductor in Spark 3.0.1. This bulletin provides interim fixes which include Apache Commons Text 1.10.0 to fix arbitrary code execution in IBM Spectrum Conductor. [CVE-2022-42889]

Vulnerability Details

CVEID:CVE-2022-42889
**DESCRIPTION:**Apache Commons Text could allow a remote attacker to execute arbitrary code on the system, caused by an insecure interpolation defaults flaw. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238560 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

*Affected Product(s)*	Version(s)
IBM Spectrum Conductor	2.4.1
IBM Spectrum Conductor	2.5.0
IBM Spectrum Conductor	2.5.1

Remediation/Fixes

IBM strongly suggests the following remediation / fix:

Products	VRMF	APAR	*Remediation/First Fix*

IBM Spectrum Conductor

| 2.4.1| P104785| sc-2.4.1-build601386
IBM Spectrum Conductor| 2.5.0| P104786| sc-2.5-build601387
IBM Spectrum Conductor| 2.5.1|

P104789``

| sc-2.5.1-build601390

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmspectrum_controlMatch2.5.1

ibmspectrum_controlMatch2.5.0

ibmspectrum_controlMatch2.4.1

VendorProductVersionCPE
ibmspectrum_control2.5.1cpe:2.3:a:ibm:spectrum_control:2.5.1:*:*:*:*:*:*:*
ibmspectrum_control2.5.0cpe:2.3:a:ibm:spectrum_control:2.5.0:*:*:*:*:*:*:*
ibmspectrum_control2.4.1cpe:2.3:a:ibm:spectrum_control:2.4.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	spectrum_control	2.5.1	cpe:2.3:a:ibm:spectrum_control:2.5.1:::::::*
ibm	spectrum_control	2.5.0	cpe:2.3:a:ibm:spectrum_control:2.5.0:::::::*
ibm	spectrum_control	2.4.1	cpe:2.3:a:ibm:spectrum_control:2.4.1:::::::*