Integration News
IBM Sterling B2B Integrator affected by FasterXML Jackson-data vulnerabilities
IBM Sterling B2B Integrator uses FasterXML Jackson-databind.
Vulnerability Details
CVEID: CVE-2022-42004
Description: FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in the BeanDeserializer._deserializeFromArray function. By sending a specially-crafted request using deeply nested arrays, a local attacker could exploit this vulnerability to exhaust all available resources.
CVSS Base score: 6.2
CVSS Temporal Score: Click here.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-42003
Description: FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in the primitive value deserializers when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. By sending a specially-crafted request using deep wrapper array nesting, a local attacker could exploit this vulnerability to exhaust all available resources.
CVSS Base score: 6.2
CVSS Temporal Score: Click here.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
Remediation/Fixes
The IIM versions of 6.0.3.9, 6.1.0.8, 6.1.1.4, and 6.1.2.3 are available on Fix Central. The IIM version of 6.2.0.0 is available on Passport Advantage.
The container version of 6.1.1.4, 6.1.2.3 and 6.2.0.0 are available in IBM Entitled Registry.
Workarounds and Mitigations
None.