IBM patches third party library flaw in TXSeries middleware

A critical security vulnerability has been identified in IBM TXSeries for Multiplatforms, affecting multiple versions of the software.

This vulnerability, tracked as CVE-2022-46337 (CVSS score 9.1), stems from an LDAP injection vulnerability in the authenticator of the Apache Derby package shipped with IBM TXSeries. It's classified as "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')". 

If successfully exploited, attackers could:

• View sensitive data
• Corrupt sensitive data
• Execute sensitive database functions and procedures
• Bypass security restrictions of IBM's middleware for transaction processing

The vulnerability affects the following IBM TXSeries for Multiplatforms versions:

• IBM TXSeries for Multiplatforms 8.1
• IBM TXSeries for Multiplatforms 8.2
• IBM TXSeries for Multiplatforms 9.1
• IBM TXSeries for Multiplatforms 10.1

IBM strongly recommends addressing this vulnerability immediately by downloading and applying the appropriate fixes:

• For TXSeries 8.1 (Linux, AIX): PSIRT fixes will be provided only for extended support customers with requests through Salesforce case
• For TXSeries 8.2 (Linux, AIX, Windows): PSIRT fixes will be provided only for extended support customers with requests through Salesforce case
• For TXSeries 9.1 (Linux, AIX): Download and apply the fix from Fix Central
• For TXSeries 10.1 (Linux - 32bit): Download and apply the fix from Fix Central
• For TXSeries 10.1 (Linux - 64bit): Download and apply the fix from Fix Central

No workarounds or mitigations have been identified for this vulnerability. System administrators are strongly advised to apply the security patches as soon as possible, especially since this vulnerability could be exploited remotely.