Security fixes

The following HCL Commerce releases contain security fixes for defects that are considered to be security vulnerabilities. The following details provide security risk assessment information to help you assess if a particular issue might impact your organization.

To avoid preventable security issues, it is recommended that you stay up to date on the most current maintenance options for your products.

Important: For up-to-date bulletins, subscribe to the following services:

Vulnerabilities addressed in HCL Commerce 9.0.1.19

A number of software vulnerability fixes in companion software have been included in 9.0.1.19.
Affected software CVE(s) Vulnerability
HCL Commerce CVE-2021-27785 HCL Commerce could allow a local attacker to obtain sensitive personal information
Apache Log4j CVE-2022-23307, CVE-2022-23302, CVE-2022-23305 Vulnerability in Apache Log4j 1.2 affects HCL Commerce
IBM HTTP Server, IBM Java SDK CVE-2022-25315, CVE-2021-35550, CVE-2022-25313, CVE-2022-21340, CVE-2022-25236, CVE-2021-35603, CVE-2022-25235 Multiple vulnerabilities in IBM Java SDK and IBM HTTP Server included with WebSphere Application Server affect HCL Commerce
WebSphere Application Server CVE-2021-39038 A vulnerability in WebSphere Application Server affects HCL Commerce
WebSphere Application Server and IBM HTTP Server CVE-2022-22721, CVE-2022-22720, CVE-2022-22365, CVE-2022-22719 Multiple vulnerabilities in IBM HTTP Server and WebSphere Application Server affect HCL Commerce
WebSphere Application Server Liberty CVE-2022-22475, CVE-2021-46708, CVE-2022-22393 Multiple vulnerabilities in WebSphere Application Server Liberty affect HCL Commerce
jackson-databind, Spring Framework CVE-2020-36518, CVE-2022-22950 Multiple vulnerabilities in open source components affect HCL Commerce
Apache Struts 2, org.cyberneko.html CVE-2021-31805, CVE-2022-24839 Multiple vulnerabilities in open source components affect HCL Commerce

Vulnerabilities addressed in HCL Commerce 9.0.1.18

A number of software vulnerability fixes in companion software have been included in 9.0.1.18.
Affected software CVE(s) Vulnerability
jackson-databind, Spring Framework WS-2021-0616, CVE-2021-22096 Multiple vulnerabilities in open source components affect HCL Commerce
Apache Chainsaw, Apache XercesJ, Spring Framework CVE-2022-23307, CVE-2022-23437, CVE-2021-22060 Multiple vulnerabilities in open source components affect HCL Commerce
WebSphere Application Server and IBM HTTP Server CVE-2021-23450, CVE-2022-23990, CVE-2022-23852, CVE-2022-22822, CVE-2022-22823, CVE-2022-22825, CVE-2021-46143, CVE-2022-22824, CVE-2022-22826, CVE-2022-22827, CVE-2021-45960 Multiple vulnerabilities in IBM HTTP Server and WebSphere Application Server affect HCL Commerce
WebSphere Application Server CVE-2021-40438, CVE-2021-45046, CVE-2021-4104, CVE-2021-36090, CVE-2021-38951, CVE-2021-34798, CVE-2021-35517, CVE-2021-35578, CVE-2021-35564, CVE-2021-2369, CVE-2021-39275, CVE-2021-29842 Multiple security vulnerabilities in WebSphere Application Server affect HCL Commerce

Vulnerabilities addressed in HCL Commerce 9.0.1.17

A number of software vulnerability fixes in companion software have been included in 9.0.1.17.
Affected software CVE(s) Vulnerability
HCL Commerce CVE-2021-27750 Session termination vulnerability in HCL Commerce
WebSphere Application Server CVE-2021-29736 Privilege Escalation vulnerability in WebSphere Application Server affects HCL Commerce
WebSphere Application Server CVE-2020-5258, CVE-2021-20453, CVE-2021-20454, CVE-2021-26296, CVE-2021-2161, CVE-2015-5262, CVE-2011-1498, CVE-2014-3577, CVE-2012-6153, CVE-2021-29754 Multiple vulnerabilities in WebSphere Application Server affect HCL Commerce
Apache Ant CVE-2021-36373, CVE-2021-36374 Multiple vulnerabilities in Apache Ant affect HCL Commerce
Apache PDFBox CVE-2021-31811, CVE-2021-31812 Multiple security vulnerabilities in Apache PDFBox affect HCL Commerce
CKeditor CVE-2021-26272 Vulnerability in CKeditor affects HCL Commerce

Vulnerabilities addressed in HCL Commerce 9.0.1.16

A number of software vulnerability fixes in companion software have been included in 9.0.1.16.
Affected software CVE(s) Vulnerability
HCL Commerce CVE-2021-27741 XML external entity (XXE) injection vulnerability in HCL Commerce
WebSphere Application Server CVE-2020-14797, CVE-2020-4949, CVE-2021-20353, CVE-2021-20354, CVE-2020-2773, CVE-2020-14782, CVE-2020-27221, CVE-2020-14781 Multiple vulnerabilities in WebSphere Application Server affects HCL Commerce
WebSphere Application Server CVE-2020-4782, CVE-2020-4576 Multiple vulnerabilities in WebSphere Application Server affects HCL Commerce
WebSphere Application Server CVE-2020-5016 A vulnerability in WebSphere Application Server affects HCL Commerce
Jackson Databind CVE-2020-25649 Vulnerability in Jackson Databind affects HCL Commerce
Netty All library CVE-2021-21290 Information disclosure vulnerability in Netty All library affects HCL Commerce
JUnit4 CVE-2020-15250 Vulnerability in JUnit4 affects HCL Commerce
Struts CVE-2020-17530 Vulnerability in Apache Struts affects HCL Commerce
CKEditor CVE-2020-9281, CVE-2018-17960 Cross-site scripting (XSS) vulnerabilities in CKEditor shipped with HCL Commerce
Apache PDFBox CVE-2021-27807, CVE-2021-27906 Multiple vulnerabilities in Apache PDFBox affect HCL Commerce

Vulnerabilities addressed in HCL Commerce 9.0.1.15

A number of software vulnerability fixes in companion software have been included in 9.0.1.15.
Affected software CVE(s) Vulnerability
HCL Commerce CVE-2020-14274 Information disclosure vulnerability in HCL Commerce
HCL Commerce CVE-2020-14275 Potential denial of service and information disclosure vulnerability in HCL Commerce

Vulnerabilities addressed in HCL Commerce 9.0.1.14

A number of software vulnerability fixes in companion software have been included in 9.0.1.14.
Affected software CVE(s) Vulnerability
IBM® Java SDK included with WebSphere Application Server CVE-2020-2601, CVE-2020-14621, CVE-2020-14581, CVE-2020-14579, CVE-2020-14578, CVE-2020-14577, CVE-2020-2590 Security vulnerabilities in IBM® Java SDK included with WebSphere Application Server affect HCL Commerce
WebSphere Application Server CVE-2020-4589, CVE-2020-4578, CVE-2020-4643 Multiple vulnerabilities in WebSphere Application Server affects HCL Commerce

Vulnerabilities addressed in HCL Commerce 9.0.1.13

A number of software vulnerability fixes in companion software have been included in 9.0.1.13.
Affected software CVE(s) Vulnerability
WebSphere Application Server CVE-2020-4534 WebSphere Application Server is vulnerable to a remote code execution vulnerability
WebSphere Application Server CVE-2020-4464 WebSphere Application Server is vulnerable to a remote code execution vulnerability

Vulnerabilities addressed in HCL Commerce 9.0.1.12

A number of software vulnerability fixes in companion software have been included in 9.0.1.12.
Affected software CVE(s) Vulnerability
Apache Tika CVE-2019-10088 CVE-2019-10088
Apache Tika CVE-2019-10093 CVE-2019-10093
Apache Tika CVE-2019-10094 CVE-2019-10094

Vulnerabilities addressed in HCL Commerce 9.0.1.11

A number of software vulnerability fixes in companion software have been included in 9.0.1.11.
Affected software CVE(s) CVE
jquery CVE-2019-11358 CVE-2019-11358
commons-codec WS-2019-0379 WS-2019-0379
handlebars.js CVE-2019-19919 CVE-2019-19919

Vulnerabilities addressed in HCL Commerce 9.0.1.10

A number of software vulnerability fixes in companion software have been included in 9.0.1.10.
Affected software CVE(s) Vulnerability
Jackson Databind CVE-2019-14379 CVE-2019-14379
Jackson Databind CVE-2019-14439 CVE-2019-14439
WebSphere Application Server Liberty CVE-2018-1902 CVE-2018-1902
IBM SDK, Java Technology Edition CVE-2019-7317, CVE-2019-2769, CVE-2019-2762, CVE-2019-2816, CVE-2019-2786, CVE-2019-2766, CVE-2019-11772, CVE-2019-11775, CVE-2019-4473, CVE-2019-11771 Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition

Vulnerabilities addressed in HCL Commerce 9.0.1.8

A number of software vulnerability fixes in companion software have been included in 9.0.1.8.
Affected software CVE(s) Vulnerability
Jackson Databind CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2018-1000873, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439 CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2018-1000873, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439
Jquery CVE-2015-9251, CVE-2019-11358 CVE-2015-9251, CVE-2019-11358
Httpclient CVE-2014-3577, CVE-2015-5262, WS-2017-3734 CVE-2014-3577, CVE-2015-5262, WS-2017-3734
Spring-webmvc CVE-2015-5211, CVE-2016-5007 CVE-2015-5211, CVE-2016-5007
IBM HTTP Server CVE-2018-17189, CVE-2019-0190, CVE-2018-17199, CVE-2019-0190, CVE-2016-0702, CVE-2017-15710, CVE-2017-15715, CVE-2018-1301 CVE-2018-17189, CVE-2019-0190, CVE-2018-17199, CVE-2019-0190, CVE-2016-0702, CVE-2017-15710, CVE-2017-15715, CVE-2018-1301
WebSphere Application Server Liberty CVE-2018-1902, CVE-2019-4046 CVE-2018-1902, CVE-2019-4046
WebSphere Application Server CVE-2019-10245, CVE-2019-2602, CVE-2019-2684, CVE-2019-2697, CVE-2019-2698, CVE-2019-2699, CVE-2019-4279, CVE-2019-0211, CVE-2019-0196, CVE-2019-0197, CVE-2019-0215, CVE-2019-0217, CVE-2019-0220, CVE-2019-4269 CVE-2019-10245, CVE-2019-2602, CVE-2019-2684, CVE-2019-2697, CVE-2019-2698, CVE-2019-2699, CVE-2019-4279, CVE-2019-0211, CVE-2019-0196, CVE-2019-0197, CVE-2019-0215, CVE-2019-0217, CVE-2019-0220, CVE-2019-4269