Security Bulletin
Summary
Spring Framework is used by IBM Sterling B2B Integrator. Multiple vulnerabilities in Spring Framework have been addressed.
Vulnerability Details
CVEID: CVE-2016-9878
DESCRIPTION: Pivotal Spring Framework could allow a remote attacker to traverse directories on the system, caused by the failure to sanitize paths provided to ResourceServlet. An attacker could send a specially-crafted URL request containing directory traversal sequences to view arbitrary files on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/120241 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2020-5421
DESCRIPTION: VMware Tanzu Spring Framework could allow a remote attacker to bypass security restrictions, caused by improper input validation. By using a specially-crafted jsessionid path parameter, an attacker could exploit this vulnerability to bypass RFD Protection.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188530 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2018-1257
DESCRIPTION: Pivotal Spring Framework is vulnerable to a denial of service. By sending a specially-crafted message, a remote attacker could exploit this vulnerability to perform a regular expression denial of service attack.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/143316 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2013-4152
DESCRIPTION: Pivotal Spring Framework could allow a remote attacker to obtain sensitive information, caused by an XML External Entity Injection (XXE) error when processing XML data. By sending a specially-crafted request, an attacker could exploit this vulnerability to read arbitrary files and obtain sensitive information.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/86589 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | APAR(s) | Version(s) |
| IBM Sterling B2B Integrator | IT40592 | 6.0.0.0 - 6.0.3.5 |
| IBM Sterling B2B Integrator | IT40592 | 6.1.0.0 - 6.1.0.4 |
Remediation/Fixes
| Product(s) | Version(s) | Remediation/Fix |
| IBM Sterling B2B Integrator | 6.0.0.0 - 6.0.3.5 | Apply IBM Sterling B2B Integrator version 6.0.3.6 on Fix Central |
| IBM Sterling B2B Integrator | 6.1.0.0 - 6.1.0.4 | Apply IBM Sterling B2B Integrator version 6.1.1.0 or higher on Fix Central |
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
06 Apr 2022: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
13 May 2022
UID
ibm16570969