Lucene search

IBMCB21B0D6C5AD54434B8C62042C5EFBC4291D000B7400E7A5FB23EE38B27C9752

HistoryJan 15, 2024 - 7:22 p.m.

Security Bulletin: There is a vulnerability in batik-all-1.15.jar used by IBM Maximo Asset Management application (CVE-2022-44730 and CVE-2022-44729)

2024-01-1519:22:36

www.ibm.com

ibm maximo asset management

batik-all-1.15.jar

ssrf vulnerability

CVSS3

7.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

AI Score

7.1

Confidence

High

EPSS

0.003

Percentile

68.1%

JSON

Summary

There is a vulnerability in batik-all-1.15.jar used by IBM Maximo Asset Management application.

Vulnerability Details

CVEID:CVE-2022-44730
**DESCRIPTION:**Apache Batik is vulnerable to server-side request forgery, caused by improper input validation. By persuading a victim to open specially crafted SVG file, an attacker could exploit this vulnerability to conduct SSRF attack to probe user profile/data and send it directly as parameter to a URL.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264130 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-44729
**DESCRIPTION:**Apache Batik is vulnerable to server-side request forgery, caused by improper input validation. By persuading a victim to open specially crafted SVG file, an attacker could exploit this vulnerability to conduct SSRF attack to cause resource consumption and obtain sensitive information.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264129 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H)

Affected Products and Versions

Product versions affected:

Affected Product(s)	Version(s)
IBM Maximo Asset Management	7.6.1.2
IBM Maximo Asset Management	7.6.1.3

To determine the core product version, log in and view System Information. The core product version is the “Tivoli’s process automation engine” version. Please consult the Platform Matrix for a list of supported product combinations.

Remediation/Fixes

The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central and apply for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. Follow the installation instructions in the ‘readme’ documentation provided with each fix pack or interim fix.

For Maximo Asset Management 7.6:

VRM	Fix Pack, Feature Pack, or Interim Fix	Download
7.6.1.2	Maximo Asset Management 7.6.1.2 iFix:
7.6.1.2-TIV-MBS-IFI040 or latest Interim Fix available	FixCentral
7.6.1.3

Maximo Asset Management 7.6.1.3 iFix:

7.6.1.3-TIV-MBS-IF015 or latest Interim Fix available

FixCentral

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmmaximo_asset_managementMatch7.6.1

VendorProductVersionCPE
ibmmaximo_asset_management7.6.1cpe:2.3:a:ibm:maximo_asset_management:7.6.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	maximo_asset_management	7.6.1	cpe:2.3:a:ibm:maximo_asset_management:7.6.1:::::::*

CVSS3

7.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

AI Score

7.1

Confidence

High

EPSS

0.003

Percentile

68.1%

JSON

Related for CB21B0D6C5AD54434B8C62042C5EFBC4291D000B7400E7A5FB23EE38B27C9752