Lucene search

IBMF64049D846F95697C907A331FB8BF4E887531D1D35CA9D0B5C14C442E021B966

HistoryMar 12, 2024 - 5:33 p.m.

Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to denial of service due to Hutool (CVE-2022-45688)

2024-03-1217:33:14

www.ibm.com

ibm sterling partner engagement manager

denial of service

hutool

vulnerability

upgrade

buffer overflow

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

41.7%

JSON

Summary

IBM Sterling Partner Engagement Manager uses Hutool. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2022-45688
**DESCRIPTION:**Hutool is vulnerable to a denial of service, caused by stack-based buffer overflow. By persuading a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242881 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Sterling Partner Engagement Manager	6.2.2
IBM Sterling Partner Engagement Manager	6.1.2
IBM Sterling Partner Engagement Manager	6.2.0

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading …

Product	Version	Remediation
IBM Sterling Partner Engagement Manager Essentials Edition	6.2.2.2	Link
IBM Sterling Partner Engagement Manager Standard Edition	6.2.2.2	Link
IBM Sterling Partner Engagement Manager Essentials Edition	6.1.2.9	Link
IBM Sterling Partner Engagement Manager Standard Edition	6.1.2.9	Link
IBM Sterling Partner Engagement Manager Essentials Edition	6.2.0.7	Link
IBM Sterling Partner Engagement Manager Standard Edition	6.2.0.7	Link

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmmulti-enterprise_integration_gatewayMatch6.2.2.2

ibmmulti-enterprise_integration_gatewayMatch6.1.2.9

ibmmulti-enterprise_integration_gatewayMatch6.2.0.7

VendorProductVersionCPE
ibmmulti-enterprise_integration_gateway6.2.2.2cpe:2.3:a:ibm:multi-enterprise_integration_gateway:6.2.2.2:*:*:*:*:*:*:*
ibmmulti-enterprise_integration_gateway6.1.2.9cpe:2.3:a:ibm:multi-enterprise_integration_gateway:6.1.2.9:*:*:*:*:*:*:*
ibmmulti-enterprise_integration_gateway6.2.0.7cpe:2.3:a:ibm:multi-enterprise_integration_gateway:6.2.0.7:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	multi-enterprise_integration_gateway	6.2.2.2	cpe:2.3:a:ibm:multi-enterprise_integration_gateway:6.2.2.2:::::::*
ibm	multi-enterprise_integration_gateway	6.1.2.9	cpe:2.3:a:ibm:multi-enterprise_integration_gateway:6.1.2.9:::::::*
ibm	multi-enterprise_integration_gateway	6.2.0.7	cpe:2.3:a:ibm:multi-enterprise_integration_gateway:6.2.0.7:::::::*