CVE-2024-22319
Published: 02 February 2024
Summary
CVE-2024-22319 is a high-severity Injection (CWE-74) vulnerability in Ibm Operational Decision Manager. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
IBM Operational Decision Manager versions 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, 8.11.1, and 8.12.0.1 contain a remote code execution flaw (CVE-2024-22319) that stems from JNDI injection. The issue occurs when an unchecked argument is supplied to a specific API, allowing an attacker to influence directory or naming lookups and ultimately execute arbitrary code. The vulnerability is tracked under CWE-74 and carries a CVSS 3.1 score of 8.1.
An unauthenticated remote attacker can trigger the flaw over the network by crafting a malicious request that passes a controlled value into the affected API. Successful exploitation yields full control over the confidentiality, integrity, and availability of the decision-manager instance, although the attack requires high complexity because of the need to reach and manipulate the vulnerable code path.
IBM has published remediation guidance on its support portal and X-Force exchange that addresses the affected releases and outlines available fixes or configuration changes. The current EPSS score of 0.87 with a recorded peak of 0.91 indicates sustained and elevated exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-19880
Vulnerability details
IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, 8.11.1 and 8.12.0.1 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API. IBM X-Force ID: 279145.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.