Summary IBM Sterling B2B Integrator uses Apache CXF. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details ** CVEID: CVE-2022-46363 DESCRIPTION: **Apache CXF could allow a remote attacker to obtain sensitive information, caused by a flaw when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. By sending a specially-crafted request, an attacker could exploit this vulnerability to perform directory listing or code exfiltration, and use this information to launch further attacks against the affected system. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242009 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) ** CVEID: CVE-2021-30468 DESCRIPTION: **Apache CXF is vulnerable to a denial of service, caused by an infinite loop flaw in the JsonMapObjectReaderWriter function. By sending a specially-crafted JSON to a web service, a remote attacker could exploit this vulnerability to consume available CPU resources. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203830 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: CVE-2021-22696 DESCRIPTION: **Apache CXF is vulnerable to a denial of service, caused by improper validation of request_uri parameter by the OAuth 2 authorization service. By sending a…Read More
Security Bulletin: IBM Sterling B2B Integrator B2B API vulnerable to multiple issues due to Apache CXF
