Security Bulletin: Rational Asset Analyzer is affected by two WebSphere Application Server vulnerabilities. (CVE-2021-23450, CVE-1999-0001)

WebSphere Application Server Liberty used by Rational Asset Analyzer is vulnerable to remote code execution due to Dojo. This has been addressed.

## Vulnerability Details

**CVEID:**CVE-2021-23450
**DESCRIPTION:** Dojo could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution in the setObject function. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216463 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**CVE-1999-0001
**DESCRIPTION:** ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets.
CVSS Base score: 0
CVSS Vector:

## Affected Products and Versions

**Affected Product(s)** | **Version(s)**
—|—
Rational Asset Analyzer (RAA) | 6.1.0.0 – 6.1.0.23

## Remediation/Fixes

Apply the corresponding fix from FIX Central. Note the release date of 2022/05/03

**Windows Version** | Fix Central
—|—
**z/OS Version** | Fix Central

IBM strongly recommends addressing the vulnerability now by upgrading.

## Workarounds and Mitigations

None

##