warning header

COSOL’s response to the Apache Commons BCEL security vulnerability CVE (2022-42920)

News Insight by COSOL /

At a glance

  • A critical security vulnerability was identified in Apache Commons BCEL used by IBM Maximo on 15th May.
  • This vulnerability impacts all organisations running IBM Maximo - version 7.6.1
  • COSOL's Managed Service Support team is currently assessing the impact for COSOL customers and will provide updates as the situation progresses with advice and suggested actions.

CVEID: CVE-2022-42920  |  CVSS Base score: 9.8  |  IBM Notification Date: 15th May 2023

IBM has advised of a critical security vulnerability relating to the Apache Commons BCEL used by IBM Maximo Asset Management - version 7.6.1.  This vulnerability could allow a remote attacker to bypass security restrictions, caused by an out-of-bounds write flaw in the APIs. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain control over the resulting bytecode.

COSOL is currently:

  • assessing the vulnerability
  • performing an impact assessment across our application portfolio and impacted customer base
  • reviewing the suggested remediation actions
  • closely monitoring product vendor announcements

What happens now:

COSOL will provide further updates via this article and through direct communications with our customers.

  • For COSOL Managed Services Support customers, you will be updated on the impact of this vulnerability, and actions required to mitigate any risk to your organisation.
  • For COSOL EAMaaS customer's, a separate notification will be issued with further information outlining the mitigation strategy and proposed timeline.

If you are not a COSOL EAMaaS or Managed Services Support customer, and would like assistance to apply this latest fix, please contact COSOL Support.