{ "document" : { "aggregate_severity" : { "text" : "kritisch" }, "category" : "csaf_base", "csaf_version" : "2.0", "distribution" : { "tlp" : { "label" : "WHITE", "url" : "https://www.first.org/tlp/" } }, "lang" : "de-DE", "notes" : [ { "category" : "legal_disclaimer", "text" : "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen." }, { "category" : "description", "text" : "Apache Commons ist ein Apache-Projekt, das alle Aspekte der wiederverwendbaren Java-Komponenten behandelt.", "title" : "Produktbeschreibung" }, { "category" : "summary", "text" : "Ein entfernter Angreifer kann eine Schwachstelle in Apache Commons ausnutzen, um beliebigen Programmcode auszuführen.", "title" : "Angriff" }, { "category" : "general", "text" : "- Linux\n- Sonstiges\n- UNIX\n- Windows", "title" : "Betroffene Betriebssysteme" } ], "publisher" : { "category" : "other", "contact_details" : "csaf-provider@cert-bund.de", "name" : "Bundesamt für Sicherheit in der Informationstechnik", "namespace" : "https://www.bsi.bund.de" }, "references" : [ { "category" : "self", "summary" : "WID-SEC-W-2022-0590 - CSAF Version", "url" : "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-0590.json" }, { "category" : "self", "summary" : "WID-SEC-2022-0590 - Portal Version", "url" : "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0590" }, { "category" : "external", "summary" : "Mailing list OSS Security vom 2022-07-06", "url" : "https://seclists.org/oss-sec/2022/q3/29" }, { "category" : "external", "summary" : "PoC vom 2022-07-10", "url" : "https://github.com/tangxiaofeng7/CVE-2022-33980-Apache-Commons-Configuration-RCE" }, { "category" : "external", "summary" : "Red Hat Security Advisory RHSA-2022:6916 vom 2022-10-12", "url" : "https://access.redhat.com/errata/RHSA-2022:6916" }, { "category" : "external", "summary" : "IBM Security Bulletin 6829367 vom 2022-10-15", "url" : "https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache-commons-configuration-affects-ibm-infosphere-information-server-cve-2022-33980/" }, { "category" : "external", "summary" : "Red Hat Security Advisory RHSA-2022:8652 vom 2022-11-28", "url" : "https://access.redhat.com/errata/RHSA-2022:8652" }, { "category" : "external", "summary" : "Debian Security Advisory DSA-5290 vom 2022-11-28", "url" : "https://lists.debian.org/debian-security-announce/2022/msg00261.html" }, { "category" : "external", "summary" : "IBM Security Bulletin 6985689 vom 2023-04-24", "url" : "https://www.ibm.com/support/pages/node/6985689" }, { "category" : "external", "summary" : "IBM Security Bulletin 7008449 vom 2023-06-29", "url" : "https://www.ibm.com/support/pages/node/7008449" }, { "category" : "external", "summary" : "### vom 2024-10-15", "url" : "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24999" } ], "source_lang" : "en-US", "title" : "Apache Commons: Schwachstelle ermöglicht Codeausführung", "tracking" : { "current_release_date" : "2024-10-14T22:00:00.000+00:00", "generator" : { "date" : "2024-10-15T08:15:56.606+00:00", "engine" : { "name" : "BSI-WID", "version" : "1.3.8" } }, "id" : "WID-SEC-W-2022-0590", "initial_release_date" : "2022-07-06T22:00:00.000+00:00", "revision_history" : [ { "date" : "2022-07-06T22:00:00.000+00:00", "number" : "1", "summary" : "Initiale Fassung" }, { "date" : "2022-07-07T22:00:00.000+00:00", "number" : "2", "summary" : "Referenz(en) aufgenommen: GHSA-XJ57-8QJ4-C4M6" }, { "date" : "2022-07-10T22:00:00.000+00:00", "number" : "3", "summary" : "PoC aufgenommen" }, { "date" : "2022-07-11T22:00:00.000+00:00", "number" : "4", "summary" : "Korrektur Versionsnummer" }, { "date" : "2022-07-14T22:00:00.000+00:00", "number" : "5", "summary" : "Referenz(en) aufgenommen: GHSL-2022-017" }, { "date" : "2022-10-12T22:00:00.000+00:00", "number" : "6", "summary" : "Neue Updates von Red Hat aufgenommen" }, { "date" : "2022-10-16T22:00:00.000+00:00", "number" : "7", "summary" : "Neue Updates von IBM aufgenommen" }, { "date" : "2022-11-28T23:00:00.000+00:00", "number" : "8", "summary" : "Neue Updates von Red Hat und Debian aufgenommen" }, { "date" : "2023-04-24T22:00:00.000+00:00", "number" : "9", "summary" : "Neue Updates von IBM aufgenommen" }, { "date" : "2023-06-29T22:00:00.000+00:00", "number" : "10", "summary" : "Neue Updates von IBM aufgenommen" }, { "date" : "2024-10-14T22:00:00.000+00:00", "number" : "11", "summary" : "Neue Updates aufgenommen" } ], "status" : "final", "version" : "11" } }, "product_tree" : { "branches" : [ { "branches" : [ { "branches" : [ { "category" : "product_version_range", "name" : "Configuration <2.8.0", "product" : { "name" : "Apache Commons Configuration <2.8.0", "product_id" : "T023800" } }, { "category" : "product_version", "name" : "Configuration 2.8.0", "product" : { "name" : "Apache Commons Configuration 2.8.0", "product_id" : "T023800-fixed", "product_identification_helper" : { "cpe" : "cpe:/a:apache:commons:2.8.0::configuration" } } } ], "category" : "product_name", "name" : "Commons" } ], "category" : "vendor", "name" : "Apache" }, { "branches" : [ { "branches" : [ { "category" : "product_version_range", "name" : "<2.3.0a", "product" : { "name" : "Broadcom Brocade SANnav <2.3.0a", "product_id" : "T034391" } }, { "category" : "product_version", "name" : "2.3.0a", "product" : { "name" : "Broadcom Brocade SANnav 2.3.0a", "product_id" : "T034391-fixed", "product_identification_helper" : { "cpe" : "cpe:/a:broadcom:brocade_sannav:2.3.0a" } } }, { "category" : "product_version_range", "name" : "<2.3.1a", "product" : { "name" : "Broadcom Brocade SANnav <2.3.1a", "product_id" : "T038317" } }, { "category" : "product_version", "name" : "2.3.1a", "product" : { "name" : "Broadcom Brocade SANnav 2.3.1a", "product_id" : "T038317-fixed", "product_identification_helper" : { "cpe" : "cpe:/a:broadcom:brocade_sannav:2.3.1a" } } } ], "category" : "product_name", "name" : "Brocade SANnav" } ], "category" : "vendor", "name" : "Broadcom" }, { "branches" : [ { "category" : "product_name", "name" : "Debian Linux", "product" : { "name" : "Debian Linux", "product_id" : "2951", "product_identification_helper" : { "cpe" : "cpe:/o:debian:debian_linux:-" } } } ], "category" : "vendor", "name" : "Debian" }, { "branches" : [ { "category" : "product_name", "name" : "IBM DB2", "product" : { "name" : "IBM DB2", "product_id" : "5104", "product_identification_helper" : { "cpe" : "cpe:/a:ibm:db2:-" } } }, { "branches" : [ { "category" : "product_version", "name" : "11.7", "product" : { "name" : "IBM InfoSphere Information Server 11.7", "product_id" : "444803", "product_identification_helper" : { "cpe" : "cpe:/a:ibm:infosphere_information_server:11.7" } } } ], "category" : "product_name", "name" : "InfoSphere Information Server" } ], "category" : "vendor", "name" : "IBM" }, { "branches" : [ { "category" : "product_name", "name" : "Red Hat Enterprise Linux", "product" : { "name" : "Red Hat Enterprise Linux", "product_id" : "67646", "product_identification_helper" : { "cpe" : "cpe:/o:redhat:enterprise_linux:-" } } } ], "category" : "vendor", "name" : "Red Hat" } ] }, "vulnerabilities" : [ { "cve" : "CVE-2022-33980", "notes" : [ { "category" : "description", "text" : "Es existiert eine Schwachstelle in Apache Commons in der Konfigurations Komponente. Die Schwachstelle besteht, weil eine Variableninterpolation durchgeführt wird, die es ermöglicht, Eigenschaften dynamisch zu bewerten und zu erweitern. Der Satz von Standard-Lookup-Instanzen enthält Interpolatoren, die zu einem Fehler führen können. Ein entfernter Angreifer kann diese Schwachstelle zur Ausführung von beliebigem Code ausnutzen." } ], "product_status" : { "known_affected" : [ "2951", "T038317", "67646", "T034391", "444803", "T023800", "5104" ] }, "release_date" : "2022-07-06T22:00:00.000+00:00", "title" : "CVE-2022-33980" } ] }