Security fixes
The following HCL Commerce releases contain security fixes for defects that are considered to be security vulnerabilities. The following details provide security risk assessment information to help you assess if a particular issue might impact your organization.
To avoid preventable security issues, it is recommended that you stay up to date on the most current maintenance options for your products.
Important: For up-to-date bulletins, subscribe to the following services:
- The HCL PSIRT blog for HCL Commerce security bulletins.
- IBM software support updates, for IBM companion software security bulletins.
Vulnerabilities addressed in HCL Commerce 9.0.1.21
A number of software vulnerability fixes in companion software have been included in 9.0.1.21.| Affected software | CVE(s) | Vulnerability |
|---|---|---|
| WebSphere Application Server V8.5.5 Liberty | CVE-2023-44487, CVE-2023-46158 | Multiple vulnerabilities in IBM WebSphere Application Server Liberty affect HCL Commerce |
Vulnerabilities addressed in HCL Commerce 9.0.1.20
A number of software vulnerability fixes in companion software have been included in 9.0.1.20.| Affected software | CVE(s) | Vulnerability |
|---|---|---|
| WebSphere Application Server | CVE-2023-24998, CVE-2023-26283 | Multiple vulnerabilities in IBM WebSphere Application Server affect HCL Commerce |
| IBM Java SDK and IBM HTTP Server | CVE-2023-30441, CVE-2023-25690 | Multiple vulnerabilities in IBM Java SDK and IBM HTTP Server included with IBM WebSphere Application Server affect HCL Commerce |
| Apache Kafka | CVE-2022-34917 | Vulnerabilities in Apache Kafka affect HCL Commerce |
| WebSphere Application Server and IBM HTTP Server | CVE-2022-43680, CVE-2022-37436, CVE-2022-21541, CVE-2021-2163, CVE-2022-21540, CVE-2022-21626, CVE-2017-9233, CVE-2013-0340, CVE-2022-21624 | Multiple vulnerabilities in IBM Java SDK and IBM HTTP Server included with WebSphere Application Server affect HCL Commerce |
| WebSphere Application Server V8.5.5 Liberty | CVE-2022-24839, CVE-2022-22476 | Multiple vulnerabilities in WebSphere Application Server Liberty affect HCL Commerce |
| WebSphere Application Server | CVE-2023-23477, CVE-2022-22477, CVE-2022-38712, CVE-2022-34336, CVE-2022-40750, CVE-2022-34165, CVE-2022-35282, CVE-2022-22473 | Multiple vulnerabilities in WebSphere Application Server affect HCL Commerce |
| jQuery | CVE-2021-41182, CVE-2021-41183, CVE-2021-41184, CVE-2022-31160 | Multiple vulnerabilities in jQuery affect HCL Commerce |
Vulnerabilities addressed in HCL Commerce 9.0.1.19
A number of software vulnerability fixes in companion software have been included in 9.0.1.19.| Affected software | CVE(s) | Vulnerability |
|---|---|---|
| WebSphere Application Server and IBM HTTP Server | CVE-2022-26377, CVE-2022-28615, CVE-2022-28614, CVE-2022-29404, CVE-2022-31813, CVE-2022-30556 | Multiple vulnerabilities in IBM HTTP Server included with WebSphere Application Server affect HCL Commerce |
| HCL Commerce | CVE-2021-27785 | HCL Commerce could allow a local attacker to obtain sensitive personal information |
| Apache Log4j | CVE-2022-23307, CVE-2022-23302, CVE-2022-23305 | Vulnerability in Apache Log4j 1.2 affects HCL Commerce |
| IBM HTTP Server, IBM Java SDK | CVE-2022-25315, CVE-2021-35550, CVE-2022-25313, CVE-2022-21340, CVE-2022-25236, CVE-2021-35603, CVE-2022-25235 | Multiple vulnerabilities in IBM Java SDK and IBM HTTP Server included with WebSphere Application Server affect HCL Commerce |
| WebSphere Application Server | CVE-2021-39038 | A vulnerability in WebSphere Application Server affects HCL Commerce |
| WebSphere Application Server and IBM HTTP Server | CVE-2022-22721, CVE-2022-22720, CVE-2022-22365, CVE-2022-22719 | Multiple vulnerabilities in IBM HTTP Server and WebSphere Application Server affect HCL Commerce |
| WebSphere Application Server V8.5.5 Liberty | CVE-2022-22475, CVE-2021-46708, CVE-2022-22393 | Multiple vulnerabilities in WebSphere Application Server Liberty affect HCL Commerce |
| jackson-databind, Spring Framework | CVE-2020-36518, CVE-2022-22950 | Multiple vulnerabilities in open source components affect HCL Commerce |
| Apache Struts 2, org.cyberneko.html | CVE-2021-31805, CVE-2022-24839, CVE-2022-2950 | Multiple vulnerabilities in open source components affect HCL Commerce |
Vulnerabilities addressed in HCL Commerce 9.0.1.18
A number of software vulnerability fixes in companion software have been included in 9.0.1.18.| Affected software | CVE(s) | Vulnerability |
|---|---|---|
| jackson-databind, Spring Framework | WS-2021-0616, CVE-2021-22096 | Multiple vulnerabilities in open source components affect HCL Commerce |
| Apache Chainsaw, Apache XercesJ, Spring Framework | CVE-2022-23307, CVE-2022-23437, CVE-2021-22060 | Multiple vulnerabilities in open source components affect HCL Commerce |
| WebSphere Application Server and IBM HTTP Server | CVE-2021-23450, CVE-2022-23990, CVE-2022-23852, CVE-2022-22822, CVE-2022-22823, CVE-2022-22825, CVE-2021-46143, CVE-2022-22824, CVE-2022-22826, CVE-2022-22827, CVE-2021-45960 | Multiple vulnerabilities in IBM HTTP Server and WebSphere Application Server affect HCL Commerce |
| WebSphere Application Server | CVE-2021-40438, CVE-2021-45046, CVE-2021-4104, CVE-2021-36090, CVE-2021-38951, CVE-2021-34798, CVE-2021-35517, CVE-2021-35578, CVE-2021-35564, CVE-2021-2369, CVE-2021-39275, CVE-2021-29842 | Multiple security vulnerabilities in WebSphere Application Server affect HCL Commerce |
Vulnerabilities addressed in HCL Commerce 9.0.1.17
A number of software vulnerability fixes in companion software have been included in 9.0.1.17.| Affected software | CVE(s) | Vulnerability |
|---|---|---|
| HCL Commerce | CVE-2021-27750 | Session termination vulnerability in HCL Commerce |
| WebSphere Application Server | CVE-2021-29736 | Privilege Escalation vulnerability in WebSphere Application Server affects HCL Commerce |
| WebSphere Application Server | CVE-2020-5258, CVE-2021-20453, CVE-2021-20454, CVE-2021-26296, CVE-2021-2161, CVE-2015-5262, CVE-2011-1498, CVE-2014-3577, CVE-2012-6153, CVE-2021-29754 | Multiple vulnerabilities in WebSphere Application Server affect HCL Commerce |
| Apache Ant | CVE-2021-36373, CVE-2021-36374 | Multiple vulnerabilities in Apache Ant affect HCL Commerce |
| Apache PDFBox | CVE-2021-31811, CVE-2021-31812 | Multiple security vulnerabilities in Apache PDFBox affect HCL Commerce |
| CKeditor | CVE-2021-26272 | Vulnerability in CKeditor affects HCL Commerce |
Vulnerabilities addressed in 9.0.1.16
A number of software vulnerability fixes in companion software have been included in 9.0.1.16.Vulnerabilities addressed in HCL Commerce 9.0.1.15
A number of software vulnerability fixes in companion software have been included in 9.0.1.15.| Affected software | CVE(s) | Vulnerability |
|---|---|---|
| HCL Commerce | CVE-2020-14274 | Information disclosure vulnerability in HCL Commerce |
| HCL Commerce | CVE-2020-14275 | Potential denial of service and information disclosure vulnerability in HCL Commerce |
Vulnerabilities addressed in HCL Commerce 9.0.1.14
A number of software vulnerability fixes in companion software have been included in 9.0.1.14.| Affected software | CVE(s) | Vulnerability |
|---|---|---|
| IBM® Java SDK included with WebSphere Application Server | CVE-2020-2601, CVE-2020-14621, CVE-2020-14581, CVE-2020-14579, CVE-2020-14578, CVE-2020-14577, CVE-2020-2590 | Security vulnerabilities in IBM® Java SDK included with WebSphere Application Server affect HCL Commerce |
| WebSphere Application Server | CVE-2020-4589, CVE-2020-4578, CVE-2020-4643 | Multiple vulnerabilities in WebSphere Application Server affects HCL Commerce |
Vulnerabilities addressed in HCL Commerce 9.0.1.13
A number of software vulnerability fixes in companion software have been included in 9.0.1.13.| Affected software | CVE(s) | Vulnerability |
|---|---|---|
| WebSphere Application Server | CVE-2020-4534 | WebSphere Application Server is vulnerable to a remote code execution vulnerability |
| WebSphere Application Server | CVE-2020-4464 | WebSphere Application Server is vulnerable to a remote code execution vulnerability |
Vulnerabilities addressed in HCL Commerce 9.0.1.12
A number of software vulnerability fixes in companion software have been included in 9.0.1.12.| Affected software | CVE(s) | Vulnerability |
|---|---|---|
| Apache Tika | CVE-2019-10088 | CVE-2019-10088 |
| Apache Tika | CVE-2019-10093 | CVE-2019-10093 |
| Apache Tika | CVE-2019-10094 | CVE-2019-10094 |
Vulnerabilities addressed in HCL Commerce 9.0.1.11
A number of software vulnerability fixes in companion software have been included in 9.0.1.11.| Affected software | CVE(s) | CVE |
|---|---|---|
| jquery | CVE-2019-11358 | CVE-2019-11358 |
| commons-codec | WS-2019-0379 | WS-2019-0379 |
| handlebars.js | CVE-2019-19919 | CVE-2019-19919 |
Vulnerabilities addressed in HCL Commerce 9.0.1.10
A number of software vulnerability fixes in companion software have been included in 9.0.1.10.| Affected software | CVE(s) | Vulnerability |
|---|---|---|
| Jackson Databind | CVE-2019-14379 | CVE-2019-14379 |
| Jackson Databind | CVE-2019-14439 | CVE-2019-14439 |
| WebSphere Application Server V8.5.5 Liberty | CVE-2018-1902 | CVE-2018-1902 |
| IBM SDK, Java Technology Edition | CVE-2019-7317, CVE-2019-2769, CVE-2019-2762, CVE-2019-2816, CVE-2019-2786, CVE-2019-2766, CVE-2019-11772, CVE-2019-11775, CVE-2019-4473, CVE-2019-11771 | Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition |
Vulnerabilities addressed in HCL Commerce 9.0.1.8
A number of software vulnerability fixes in companion software have been included in 9.0.1.8.| Affected software | CVE(s) | Vulnerability |
|---|---|---|
| Jackson Databind | CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2018-1000873, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439 | CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2018-1000873, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439 |
| Jquery | CVE-2015-9251, CVE-2019-11358 | CVE-2015-9251, CVE-2019-11358 |
| Httpclient | CVE-2014-3577, CVE-2015-5262, WS-2017-3734 | CVE-2014-3577, CVE-2015-5262, WS-2017-3734 |
| Spring-webmvc | CVE-2015-5211, CVE-2016-5007 | CVE-2015-5211, CVE-2016-5007 |
| IBM HTTP Server | CVE-2018-17189, CVE-2019-0190, CVE-2018-17199, CVE-2019-0190, CVE-2016-0702, CVE-2017-15710, CVE-2017-15715, CVE-2018-1301 | CVE-2018-17189, CVE-2019-0190, CVE-2018-17199, CVE-2019-0190, CVE-2016-0702, CVE-2017-15710, CVE-2017-15715, CVE-2018-1301 |
| WebSphere Application Server V8.5.5 Liberty | CVE-2018-1902, CVE-2019-4046 | CVE-2018-1902, CVE-2019-4046 |
| WebSphere Application Server | CVE-2019-10245, CVE-2019-2602, CVE-2019-2684, CVE-2019-2697, CVE-2019-2698, CVE-2019-2699, CVE-2019-4279, CVE-2019-0211, CVE-2019-0196, CVE-2019-0197, CVE-2019-0215, CVE-2019-0217, CVE-2019-0220, CVE-2019-4269 | CVE-2019-10245, CVE-2019-2602, CVE-2019-2684, CVE-2019-2697, CVE-2019-2698, CVE-2019-2699, CVE-2019-4279, CVE-2019-0211, CVE-2019-0196, CVE-2019-0197, CVE-2019-0215, CVE-2019-0217, CVE-2019-0220, CVE-2019-4269 |