Vulnerability CVE-2022-42920

Vulnerability Name:

CVE-2022-42920 (CCN-239562)

Assigned:

2022-11-04

Published:

2022-11-04

Updated:

2023-02-03

Summary:

Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

8.1 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.1 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-787

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2022-42920

Source: security@apache.org
Type: Mailing List, Third Party Advisory
security@apache.org

Source: CCN
Type: Apache Web site
Apache Commons BCEL

Source: XF
Type: UNKNOWN
apache-cve202242920-sec-bypass(239562)

Source: security@apache.org
Type: Mailing List, Vendor Advisory
security@apache.org

Source: security@apache.org
Type: Mailing List, Third Party Advisory
security@apache.org

Source: security@apache.org
Type: Mailing List, Third Party Advisory
security@apache.org

Source: security@apache.org
Type: Mailing List, Third Party Advisory
security@apache.org

Source: CCN
Type: IBM Security Bulletin 6852217 (Cloud Pak for Business Automation)
Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for December 2022

Source: CCN
Type: IBM Security Bulletin 6853681 (Business Automation Workflow containers)
Code injection vulnerability affect IBM Business Automation Workflow (CVE-2022-42920)

Source: CCN
Type: IBM Security Bulletin 6910171 (Integration Designer)
Multiple CVEs affect IBM Integration Designer

Source: CCN
Type: IBM Security Bulletin 6962849 (Maximo Application Suite)
There is a vulnerability in Apache Commons BCEL used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-42920)

Source: CCN
Type: IBM Security Bulletin 6991671 (Maximo Asset Management)
There is a vulnerability in Apache Commons BCEL used by IBM Maximo Asset Management (CVE-2022-42920)

Source: CCN
Type: IBM Security Bulletin 6999633 (Business Automation Manager Open Editions)
Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.3

Vulnerable Configuration:

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:integration_designer:20.0.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:business_automation_workflow:20.0.0.1:-:*:*:containers:*:*:*

OR cpe:/a:ibm:business_automation_workflow:20.0.0.1:*:*:*:traditional:*:*:*

OR cpe:/a:ibm:business_automation_workflow:20.0.0.2:*:*:*:traditional:*:*:*

OR cpe:/a:ibm:business_automation_workflow:21.0.1:*:*:*:traditional:*:*:*

OR cpe:/a:ibm:business_automation_workflow:20.0.0.2:-:*:*:containers:*:*:*

OR cpe:/a:ibm:business_automation_workflow:21.0.3:-:*:*:containers:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.6.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.2:-:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*

OR cpe:/a:ibm:business_automation_workflow:21.0.2:-:*:*:containers:*:*:*

OR cpe:/a:ibm:business_automation_workflow:22.0.1:-:*:*:containers:*:*:*

OR cpe:/a:ibm:business_automation_workflow:22.0.1:*:*:*:traditional:*:*:*

OR cpe:/a:ibm:maximo_asset_management:7.6.1.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_business_automation:22.0.1:-:*:*:*:*:*:*

OR cpe:/a:ibm:business_automation_workflow:21.0.3.1:*:*:*:traditional:*:*:*

OR cpe:/a:apache:commons_bcel:6.5.0:-:*:*:*:*:*:*

OR cpe:/a:ibm:maximo_application_suite:8.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:business_automation_workflow:22.0.2:-:*:*:containers:*:*:*

OR cpe:/a:ibm:business_automation_workflow:22.0.2:*:*:*:traditional:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7447	P	bcel-5.2-150200.11.3.1 on GA media (Moderate)	2023-06-12
oval:com.redhat.rhsa:def:20230005	P	RHSA-2023:0005: bcel security update (Important)	2023-01-02
oval:com.redhat.rhsa:def:20228958	P	RHSA-2022:8958: bcel security update (Important)	2022-12-13

BACK