Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN253
_____________________________________________________________________

DATE                : 04/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running IBM DevOps Build versions prior
                                  to 7.1.0.2.

=====================================================================
https://www.ibm.com/support/pages/node/7262407
_____________________________________________________________________


Security Bulletin: Multiple Vulnerabilities in IBM DevOps Build.
Security Bulletin

Summary

Multiple vulnerabilities were addressed in IBM DevOps Build 7.1.0.2.
Vulnerability Details

CVEID:   CVE-2025-52434
DESCRIPTION:   Concurrent Execution using Shared Resource with
Improper Synchronization ('Race Condition') vulnerability in Apache
Tomcat when using the APR/Native connector. This was particularly
noticeable with client initiated closes of HTTP/2 connections. This
issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The
following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100. Other, older, EOL
versions may also be affected. Users are recommended to upgrade to
version 9.0.107, which fixes the issue.
CWE:   CWE-362: Concurrent Execution using Shared Resource with
Improper Synchronization ('Race Condition')
CVSS Source:   CISA ADP
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2019-17571
DESCRIPTION:   Included in Log4j 1.2 is a SocketServer class that is
vulnerable to deserialization of untrusted data which can be
exploited to remotely execute arbitrary code when combined with a
deserialization gadget when listening to untrusted network traffic
for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
CWE:   CWE-502: Deserialization of Untrusted Data
CVSS Source:   IBM X-Force
CVSS Base score:   9.8
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2020-9488
DESCRIPTION:   Improper validation of certificate with host mismatch
in Apache Log4j SMTP appender. This could allow an SMTPS connection
to be intercepted by a man-in-the-middle attack which could leak any
log messages sent through that appender. Fixed in Apache Log4j
2.12.3 and 2.13.1
CWE:   CWE-295: Improper Certificate Validation
CVSS Source:   IBM X-Force
CVSS Base score:   3.7
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2021-4104
DESCRIPTION:   JMSAppender in Log4j 1.2 is vulnerable to
deserialization of untrusted data when the attacker has write
access to the Log4j configuration. The attacker can provide
TopicBindingName and TopicConnectionFactoryBindingName
configurations causing JMSAppender to perform JNDI requests that
result in remote code execution in a similar fashion to
CVE-2021-44228. Note this issue only affects Log4j 1.2 when
specifically configured to use JMSAppender, which is not the
default. Apache Log4j 1.2 reached end of life in August 2015.
Users should upgrade to Log4j 2 as it addresses numerous other
issues from the previous versions.
CWE:   CWE-502: Deserialization of Untrusted Data
CVSS Source:   IBM X-Force
CVSS Base score:   8.1
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2022-23302
DESCRIPTION:   JMSSink in all versions of Log4j 1.x is vulnerable
to deserialization of untrusted data when the attacker has write
access to the Log4j configuration or if the configuration
references an LDAP service the attacker has access to. The
attacker can provide a TopicConnectionFactoryBindingName
configuration causing JMSSink to perform JNDI requests that
result in remote code execution in a similar fashion to
CVE-2021-4104. Note this issue only affects Log4j 1.x when
specifically configured to use JMSSink, which is not the
default. Apache Log4j 1.2 reached end of life in August 2015.
Users should upgrade to Log4j 2 as it addresses numerous other
issues from the previous versions.
CWE:   CWE-502: Deserialization of Untrusted Data
CVSS Source:   IBM X-Force
CVSS Base score:   8.8
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
_____________________________________________________________________
CVEID:   CVE-2022-23305
DESCRIPTION:   By design, the JDBCAppender in Log4j 1.2.x accepts an
SQL statement as a configuration parameter where the values to be
inserted are converters from PatternLayout. The message converter,
%m, is likely to always be included. This allows attackers to
manipulate the SQL by entering crafted strings into input fields or
headers of an application that are logged allowing unintended SQL
queries to be executed. Note this issue only affects Log4j 1.x when
specifically configured to use the JDBCAppender, which is not the
default. Beginning in version 2.0-beta8, the JDBCAppender was
re-introduced with proper support for parameterized SQL queries
and further customization over the columns written to in logs.
Apache Log4j 1.2 reached end of life in August 2015. Users should
upgrade to Log4j 2 as it addresses numerous other issues from the
previous versions.
CWE:   CWE-89: Improper Neutralization of Special Elements used in
an SQL Command ('SQL Injection')
CVSS Source:   IBM X-Force
CVSS Base score:   6.5
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:   CVE-2022-23307
DESCRIPTION:   CVE-2020-9493 identified a deserialization issue that
was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was
a component of Apache Log4j 1.2.x where the same issue exists.
CWE:   CWE-502: Deserialization of Untrusted Data
CVSS Source:   IBM X-Force
CVSS Base score:   9.8
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2025-41242
DESCRIPTION:   Spring Framework MVC applications can be vulnerable to
a “Path Traversal Vulnerability” when deployed on a non-compliant
Servlet container. An application can be vulnerable when all the
following are true: * the application is deployed as a WAR or with
an embedded Servlet container * the Servlet container does not
reject suspicious sequences
https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1… 
* the application serves static resources
https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config…  
with Spring resource handling We have verified that applications
deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as
long as default security features are not disabled in the
configuration. Because we cannot check exploits against all Servlet
containers and configuration variants, we strongly recommend
upgrading your application.
CWE:   CWE-22: Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal')
CVSS Source:   security@vmware.com
CVSS Base score:   5.9
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2025-41249
DESCRIPTION:   The Spring Framework annotation detection mechanism
may not correctly resolve annotations on methods within type
hierarchies with a parameterized super type with unbounded generics.
This can be an issue if such annotations are used for authorization
decisions. Your application may be affected by this if you are
using Spring Security's @EnableMethodSecurity feature. You are not
affected by this if you are not using @EnableMethodSecurity or if
you do not use security annotations on methods in generic
superclasses or generic interfaces. This CVE is published in
conjunction with CVE-2025-41248
https://spring.io/security/cve-2025-41248 .
CWE:   CWE-285: Improper Authorization
CVSS Source:   security@vmware.com
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2025-53864
DESCRIPTION:   Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2
and 9.37.x before 9.37.4 allows a remote attacker to cause a
denial of service via a deeply nested JSON object supplied in
a JWT claim set, because of uncontrolled recursion. NOTE: this
is independent of the Gson 2.11.0 issue because the Connect2id
product could have checked the JSON object nesting depth,
regardless of what limits (if any) were imposed by Gson.
CWE:   CWE-674: Uncontrolled Recursion
CVSS Source:   cve@mitre.org
CVSS Base score:   5.8
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L)

CVEID:   CVE-2025-61795
DESCRIPTION:   Improper Resource Shutdown or Release vulnerability
in Apache Tomcat. If an error occurred (including exceeding limits)
during the processing of a multipart upload, temporary copies of
the uploaded parts written to disc were not cleaned up immediately
but left for the garbage collection process to delete. Depending
on JVM settings, application memory usage and application load, it
was possible that space for the temporary copies of uploaded parts
would be filled faster than GC cleared it, leading to a DoS. This
issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11,
from 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109.
The following versions were EOL at the time the CVE was created
but are known to be affected: 8.5.0 though 8.5.100. Other,
older, EOL versions may also be affected. Users are recommended
to upgrade to version 11.0.12 or later, 10.1.47 or later or
9.0.110 or later which fixes the issue.
CWE:   CWE-404: Improper Resource Shutdown or Release
CVSS Source:   CISA ADP
CVSS Base score:   5.3
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2025-41234
DESCRIPTION:   Description In Spring Framework, versions 6.0.x
as of 6.0.5, versions 6.1.x and 6.2.x, an application is
vulnerable to a reflected file download (RFD) attack when it
sets a “Content-Disposition” header with a non-ASCII charset,
where the filename attribute is derived from user-supplied
input. Specifically, an application is vulnerable when all
the following are true: * The header is prepared with
org.springframework.http.ContentDisposition. * The filename
is set via ContentDisposition.Builder#filename(String,
Charset). * The value for the filename is derived from
user-supplied input. * The application does not sanitize
the user-supplied input. * The downloaded content of the
response is injected with malicious commands by the
attacker (see RFD paper reference for details). An
application is not vulnerable if any of the following
is true: * The application does not set a
“Content-Disposition” response header. * The header
is not prepared with
org.springframework.http.ContentDisposition. * The filename
is set via one of: * ContentDisposition.Builder#filename(String),
or * ContentDisposition.Builder#filename(String, ASCII) * The
filename is not derived from user-supplied input. * The
filename is derived from user-supplied input but sanitized by
the application. * The attacker cannot inject malicious
content in the downloaded content of the response. Affected
Spring Products and VersionsSpring Framework:
* 6.2.0 - 6.2.7 * 6.1.0 - 6.1.20 * 6.0.5 - 6.0.28 * Older,
unsupported versions are not affected MitigationUsers of
affected versions should upgrade to the corresponding fixed
version. Affected version(s)Fix versionAvailability6.2.x6.2.8OSS6.1.x6.1.21OSS6.0.x6.0.29
Commercial https://enterprise.spring.io/ No further mitigation
steps are necessary. CWE-113 in `Content-Disposition` handling
in VMware Spring Framework versions 6.0.5 to 6.2.7 allows
remote attackers to launch Reflected File Download (RFD)
attacks via unsanitized user input in
`ContentDisposition.Builder#filename(String, Charset)` with
non-ASCII charsets.
CWE:   CWE-113: Improper Neutralization of CRLF Sequences
in HTTP Headers ('HTTP Request/Response Splitting')
CVSS Source:   security@vmware.com
CVSS Base score:   6.5
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N)
Affected Products and Versions


Affected Product(s)             Version(s)

UCB - IBM UrbanCode Build       6.1.7 - 6.1.7.10
IBM DevOps Build                7.0.0 - 7.1.0.1


Remediation/Fixes

IBM strongly recommends addressing the vulnerabilities now
by upgrading to IBM DevOps Build 7.1.0.2 or above.

Affected Supporting Product(s)	Remediation/Fix

UCB - IBM UrbanCode Build 6.1.7 - 6.1.7.10	Download IBM DevOps Build 7.1.0.2
IBM DevOps Build 7.0.0 - 7.1.0.1


Workarounds and Mitigations

None


Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important
product support alerts like this.


References

Complete CVSS v3 Guide
On-line Calculator v3


Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement

Change History

03 Mar 2026: Initial Publication

*The CVSS Environment Score is customer environment specific and
will ultimately impact the Overall CVSS Score. Customers can
evaluate the impact of this vulnerability in their environments
by accessing the links in the Reference section of this Security
Bulletin.


Disclaimer

According to the Forum of Incident Response and Security Teams
(FIRST), the Common Vulnerability Scoring System (CVSS) is an
"industry open standard designed to convey vulnerability severity
and help to determine urgency and priority of response." IBM
PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND,
INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR
ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY
VULNERABILITY. In addition to other efforts to address potential
vulnerabilities, IBM periodically updates the record of
components contained in our product offerings. As part of that
effort, if IBM identifies previously unidentified packages in
a product/service inventory, we address relevant vulnerabilities
regardless of CVE date. Inclusion of an older CVEID does not
demonstrate that the referenced product has been used by IBM
since that date, nor that IBM was aware of a vulnerability as
of that date. We are making clients aware of relevant
vulnerabilities as we become aware of them. "Affected Products
and Versions" referenced in IBM Security Bulletins are
intended to be only products and versions that are supported
by IBM and have not passed their end-of-support or warranty
date. Thus, failure to reference unsupported or extended-support
products and versions in this Security Bulletin does not
constitute a determination by IBM that they are unaffected
by the vulnerability. Reference to one or more unsupported
versions in this Security Bulletin shall not create an
obligation for IBM to provide fixes for any unsupported or
extended-support products or versions.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================