Vulnerability Name: CVE-2022-25647 (CCN-217225) Assigned: 2021-10-11 Published: 2021-10-11 Updated: 2022-11-28 Summary: Google Gson is vulnerable to a denial of service, caused by the deserialization of untrusted data. By using the writeReplace() method, a remote attacker could exploit this vulnerability to cause a denial of service. CVSS v3 Severity: 7.7 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H 6.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): HighPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): HighAvailibility (A): High
7.7 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H 6.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): HighPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): HighAvailibility (A): High
CVSS v2 Severity: 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Partial
7.3 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:C/A:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): HighAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): CompleteAvailibility (A): Complete
Vulnerability Consequences: Denial of Service References: Source: MITRECVE-2022-25647 gson-writereplace-dos(217225) Prevent Java deserialization of internal classes #1991 report@snyk.io report@snyk.io report@snyk.io report@snyk.io report@snyk.io report@snyk.io report@snyk.io IBM Db2 Mirror for i is vulnerable to denial of service due to gson 217225 IBM Spectrum Control is vulnerable to multiple weaknesses related to IBM Dojo (CVE-2021-234550), Java SE (CVE-2021-35578), IBM WebSphere Application Server - Liberty (CVE-2021-39031), Apache Log4j (CVE-2021-44832) and Gson (217225) IBM Tivoli Netcool Impact is affected by gson vulnerability (C2021-0419) Curam Social Program Management may be affected by Denial of Service vulnerability in Google Gson (217225) Multiple security vulnerabilities found in open source code that is shipped with IBM Security Verify Governance, Identity Manager virtual appliance component IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to a denial server due to its use of Google's Gson IBM Security Identity Manager virtual appliance is vulnerable to arbitrary code execution due to Apache Log4j and issues in other open source components (CVE-2021-4104) Multiple vulnerabilities affect IBM Db2 On Openshift, IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to an unspecified vulnerability due to Google Gson (CVE-2022-25647) IBM Sterling Connect:Direct for UNIX is vulnerable to denial of service due to Google Gson (CVE-2022-25647) Vulnerabilities in Golang Go, PostgreSQL, jQuery, and Google Gson may affect IBM Spectrum Copy Data Management IBM Planning Analytics Workspace is affected by multiple vulnerabilities (CVE-2021-40690, CVE-2021-25647, XFID: 233967) Multiple vulnerabilities in Spark affecting IBM QRadar User Behavior Analytics Vulnerability from Google Gson affect IBM Operations Analytics - Log Analysis (CVE-2022-25647) IBM App Connect Enterprise Certified Container IntegrationServer operands that use the JDBC connector may be vulnerable to denial of service due to CVE-2022-25647 IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022-25647, CVE-2022-36364) IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Google Gson denial of service vulnerabilities ( CVE-2022-25647, ID217225) IBM Sterling B2B Integrator is vulnerable to denial of service due to Google Gson (CVE-2022-25647) Multiple Vulnerabilities in Java and Node.js packages affect IBM Voice Gateway IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-25647) Multiple vulnerabilities found with third-party libraries used by IBM MobileFirst Platform IBM QRadar SIEM includes components with known vulnerabilities Vulnerability in gson-2.8.0.jar affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0)(CVE-2022-25647). Vulnerability of Google Gson (gson-2.8.2.jar ) have affected APM WebSphere Application Server Agent and APM SAP NetWeaver Agent IBM Storage Protect is vulnerable to a denial of service attack due to Google Gson (CVE-2022-25647) Multiple Vulnerabilities in CloudPak for Watson AIOPs Oracle Critical Patch Update Advisory - July 2022 report@snyk.io CVE-2022-25647 WS-2021-0419 Vulnerable Configuration: Configuration CCN 1 :cpe:/a:google:gson:2.8.8:*:*:*:*:*:*:* AND cpe:/a:ibm:tivoli_netcool/impact:7.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect:8.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:application_performance_management:8.1.4:*:*:*:*:*:*:* OR cpe:/a:ibm:voice_gateway:1.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:voice_gateway:1.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:mobilefirst_platform_foundation:8.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:voice_gateway:1.0.2.4:*:*:*:*:*:*:* OR cpe:/a:ibm:voice_gateway:1.0.4:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:* OR cpe:/a:ibm:voice_gateway:1.0.5:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_manager_virtual_appliance:7.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_manager_virtual_appliance:7.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:* OR cpe:/a:ibm:voice_gateway:1.0.7:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.1.7:-:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium:11.4:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.1.0:*:*:*:standard:*:*:* OR cpe:/a:ibm:planning_analytics_workspace:2.0:*:*:*:*:*:*:* OR cpe:/a:ibm:db2_warehouse:3.5:-:*:*:*:*:*:* OR cpe:/a:ibm:db2_warehouse:4.0:-:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_control:5.4.5.2:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_copy_data_management:2.2.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:curam_social_program_management:8.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:db2_warehouse:4.5:-:*:*:*:*:*:* OR cpe:/a:ibm:sterling_b2b_integrator:6.1.2.0:*:*:*:standard:*:*:* Oval Definitions BACK
google gson 2.8.8
ibm tivoli netcool/impact 7.1.0
ibm spectrum protect 8.1
ibm sterling b2b integrator 6.0.0.0
ibm application performance management 8.1.4
ibm voice gateway 1.0.2
ibm voice gateway 1.0.3
ibm mobilefirst platform foundation 8.0.0.0
ibm voice gateway 1.0.2.4
ibm voice gateway 1.0.4
ibm qradar security information and event manager 7.4 -
ibm voice gateway 1.0.5
ibm security identity manager virtual appliance 7.0.2
ibm security identity manager virtual appliance 7.0.1
ibm sterling b2b integrator 6.1.0.0
ibm voice gateway 1.0.7
ibm cognos analytics 11.2.0
ibm cognos analytics 11.1.7
ibm security guardium 11.4
ibm cognos analytics 11.2.1
ibm sterling b2b integrator 6.1.1.0
ibm planning analytics workspace 2.0
ibm db2 warehouse 3.5 -
ibm db2 warehouse 4.0 -
ibm spectrum control 5.4.5.2
ibm spectrum copy data management 2.2.0.0
ibm curam social program management 8.0.1
ibm db2 warehouse 4.5 -
ibm sterling b2b integrator 6.1.2.0
Denotes that component is vulnerable