- 315/2022
- Critical
IBM has released security updates to fix third-party components vulnerabilities across multiple products.
The addressed vulnerabilities could allow the remote attacker to bypass security restrictions, perform a Cross-Site Scripting attack, perform a Server-Side Request Forgery Attack (SSRF) attack, perform a Log Injection attack, execute arbitrary code and cause a denial of service attack on the affected products.
Sample of the addressed vulnerabilities:
IBM Db2 Net Search Extender Code Execution (CVE-2022-40674)
• CVSS: 9.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Gain Access
Affected Products
• IBM Spectrum Control 5.4
• IBM Cognos Analytics 11.1.x and 11.2.x
• IBM Db2 V9.7, V10.1, V10.5, and V11.1 server editions on all platforms.
Vulnerabilities
- CVE-2022-39353
- CVE-2022-36364
- CVE-2022-38708
- CVE-2022-43887
- CVE-2022-43883
- CVE-2022-25647
- CVE-2021-29469
- CVE-2022-39160
- CVE-2022-42004
- CVE-2022-42003
- CVE-2022-43680
- CVE-2022-40674
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.
• IBM Spectrum Control Security Bulletin