Security fixes

The following WebSphere Commerce releases contain security fixes for defects that are considered to be security vulnerabilities. The following details provide security risk assessment information to help you assess if a particular issue might impact your organization.

To avoid preventable security issues, it is recommended that you stay up to date on the most current maintenance options for your products.

Important: For up-to-date bulletins, subscribe to the following services:

The HCL PSIRT blog for WebSphere Commerce security bulletins.
IBM software support updates, for IBM companion software security bulletins.

Vulnerabilities addressed in WebSphere Commerce 8.0.4.29


Affected software	CVE(s)	Vulnerability
jackson-databind, Spring Framework	WS-2021-0616, CVE-2021-22096	Multiple vulnerabilities in open source components affect HCL Commerce
jackson-databind, Spring Framework	CVE-2020-36518, CVE-2022-22950	Multiple vulnerabilities in open source components affect HCL Commerce

Vulnerabilities addressed in WebSphere Commerce 8.0.4.28


Affected software	CVE(s)	Vulnerability
CKeditor	CVE-2021-26272	Vulnerability in CKeditor affects HCL Commerce
WebSphere Commerce	CVE-2021-4104	Vulnerability in Apache Log4j 1.2 affects HCL Commerce
WebSphere Commerce	CVE-2021-27751	HCL Commerce is affected by Insufficient Session Expiration vulnerability

Vulnerabilities addressed in WebSphere Commerce 8.0.4.27


Affected software	CVE(s)	Vulnerability
WebSphere Commerce	CVE-2021-27750	Session termination vulnerability in HCL Commerce
WebSphere Commerce	CVE-2021-27741	XML external entity (XXE) injection vulnerability in HCL Commerce
WebSphere Application Server	CVE-2020-5258, CVE-2021-20453, CVE-2021-20454, CVE-2021-26296, CVE-2021-2161, CVE-2015-5262, CVE-2011-1498, CVE-2014-3577, CVE-2012-6153, CVE-2021-29754	Multiple vulnerabilities in WebSphere Application Server affect HCL Commerce
Apache PDFBox	CVE-2021-31811, CVE-2021-31812	Multiple security vulnerabilities in Apache PDFBox affect HCL Commerce

Vulnerabilities addressed in WebSphere Commerce 8.0.4.26


Affected software	CVE(s)	Vulnerability
XMLBeans	CVE-2021-23926	Vulnerability in XMLBeans affects HCL Commerce
Jackson Databind	CVE-2020-25649	Vulnerability in Jackson Databind affects HCL Commerce
CKEditor	CVE-2020-9281, CVE-2018-17960	Cross-site scripting (XSS) vulnerabilities in CKEditor shipped with HCL Commerce
Apache Tika	CVE-2016-4434, CVE-2018-11761, CVE-2018-11796	Multiple vulnerabilities in Apache POI and Apache Tika affects HCL Commerce
Apache POI	CVE-2017-12626, CVE-2014-9527, CVE-2017-12626, WS-2016-7061, WS-2016-7061, WS-2016-7061	Multiple vulnerabilities in Apache POI and Apache Tika affects HCL Commerce

Vulnerabilities addressed in WebSphere Commerce 8.0.4.18


Affected software	CVE(s)	Vulnerability
WebSphere Commerce	CVE-2018-1541, CVE-2018-1807	CVE-2018-1541, CVE-2018-1807

Vulnerabilities addressed in WebSphere Commerce 8.0.4.17


Affected software	CVE
WebSphere Commerce	CVE-2018-1811

Vulnerabilities addressed in WebSphere Commerce 8.0.4.16


Affected software	CVE
WebSphere Commerce	CVE-2018-1739

Vulnerabilities addressed in WebSphere Commerce 8.0.4.15


Affected software	CVE
WebSphere Commerce	CVE-2018-1644

Vulnerabilities addressed in WebSphere Commerce 8.0.4.9


Affected software	CVE
WebSphere Commerce	CVE-2017-1484

Vulnerabilities addressed in WebSphere Commerce 8.0.4.6


Affected software	CVE
WebSphere Commerce	CVE-2017-1569