IBM has released a security bulletin addressing a vulnerability in the Apache Derby package shipped with IBM TXSeries for Multiplatforms. The vulnerability, identified as CVE-2022-46337, carries a CVSS score of 9.1, indicating its critical severity.
The vulnerability stems from an LDAP injection flaw in the authenticator component of Apache Derby. This flaw could allow a remote attacker to bypass security restrictions by sending a specially crafted request. Successful exploitation could lead to severe consequences, including:
- Unauthorized viewing and corruption of sensitive data
- Execution of sensitive database functions and procedures
The following versions of IBM TXSeries for Multiplatforms are affected:
- IBM TXSeries for Multiplatforms 8.1
- IBM TXSeries for Multiplatforms 8.2
- IBM TXSeries for Multiplatforms 9.1
- IBM TXSeries for Multiplatforms 10.1
IBM strongly recommends immediate action to address this vulnerability. The following fixes are available:
- IBM TXSeries for Multiplatforms 8.1 and 8.2: PSIRT fixes are available for extended support customers through a Salesforce case.
- IBM TXSeries for Multiplatforms 9.1 and 10.1: Fixes can be downloaded and applied from Fix Central.
No workarounds or mitigations are available.
This vulnerability poses a significant risk to organizations using the affected versions of IBM TXSeries for Multiplatforms. It is crucial to apply the recommended fixes as soon as possible to prevent potential attacks and data breaches.
