Security fixes

The following HCL Commerce releases contain security fixes for defects that are considered to be security vulnerabilities. The following details provide security risk assessment information to help you assess if a particular issue might impact your organization.

To avoid preventable security issues, it is recommended that you stay up to date on the most current maintenance options for your products.

Important: For up-to-date bulletins, subscribe to the following services:

Vulnerabilities addressed in HCL Commerce 9.1.16.0

A number of software vulnerability fixes in companion software have been included in 9.1.16.0.
Affected software CVE(s) Vulnerability
logback, ws, Apache Tomcat, micromatch, braces, TinyMCE CVE-2023-6378, CVE-2023-6481, CVE-2024-37890, CVE-2023-46589, CVE-2024-37890, CVE-2024-4067, CVE-2024-4068, CVE-2024-38357, CVE-2024-38356 Multiple vulnerabilities in open source components affect HCL Commerce
Apache Struts 2 CVE-2023-50164, CVE-2023-41835 A vulnerability in Apache Struts 2 affects HCL Commerce

Vulnerabilities addressed in HCL Commerce 9.1.15.0

A number of software vulnerability fixes in companion software have been included in 9.1.15.0.
Affected software CVE(s) Vulnerability
WebSphere Application Server V8.5.5 Liberty CVE-2023-44487, CVE-2023-46158 Multiple vulnerabilities in IBM WebSphere Application Server Liberty affect HCL Commerce
Apache Tomcat CVE-2023-44487, CVE-2023-45648, CVE-2023-42795 Multiple vulnerabilities in Apache Tomcat affect HCL Commerce
TinyMCE CVE-2023-45818, CVE-2023-48219 Multiple vulnerabilities in TinyMCE affect HCL Commerce
JSON-Java CVE-2023-5072 A vulnerability in JSON-Java affects HCL Commerce

Vulnerabilities addressed in HCL Commerce 9.1.14.0

A number of software vulnerability fixes in companion software have been included in 9.1.14.0.
Affected software CVE(s) Vulnerability
WebSphere Application Server and IBM Java SDK CVE-2022-40609, CVE-2023-21930, CVE-2023-21967, CVE-2023-21954, CVE-2023-21968, CVE-2023-21937, CVE-2023-21938, CVE-2023-35890, CVE-2023-22, CVE-2023-22049045, CVE-2023-22049 Multiple vulnerabilities in IBM WebSphere Application Server and IBM Java SDK affect HCL Commerce
Apache Lucene WS-2021-0646 A vulnerability in Apache Lucene affects HCL Commerce with Elasticsearch
HCL Commerce CVE-2023-37532 A path traversal vulnerability affects HCL Commerce

Vulnerabilities addressed in HCL Commerce 9.1.13.2

A number of software vulnerability fixes in companion software have been included in 9.1.13.2.
Affected software CVE(s) Vulnerability
Elasticsearch CVE-2023-3446, CVE-2023-2976, WS-2021-0646 Multiple vulnerabilities in open source libraries affect HCL Commerce with Elasticsearch

Vulnerabilities addressed in HCL Commerce 9.1.13.0

A number of software vulnerability fixes in companion software have been included in 9.1.13.0.
Affected software CVE(s) Vulnerability
WebSphere Application Server and IBM HTTP Server CVE-2023-32342, CVE-2023-27554, CVE-2023-24966, CVE-2022-39161 Multiple vulnerabilities in IBM WebSphere Application Server and IBM HTTP Server affect HCL Commerce
IBM Java SDK and IBM HTTP Server CVE-2023-30441, CVE-2023-25690 Multiple vulnerabilities in IBM Java SDK and IBM HTTP Server included with IBM WebSphere Application Server affect HCL Commerce
WebSphere Application Server CVE-2023-24998, CVE-2023-26283 Multiple vulnerabilities in IBM WebSphere Application Server affect HCL Commerce

Vulnerabilities addressed in HCL Commerce 9.1.12.0

A number of software vulnerability fixes in companion software have been included in 9.1.12.0.
Affected software CVE(s) Vulnerability
Apache Kafka CVE-2022-34917 Vulnerabilities in Apache Kafka affect HCL Commerce
WebSphere Application Server and IBM HTTP Server CVE-2022-43680, CVE-2022-37436, CVE-2022-21541, CVE-2021-2163, CVE-2022-21540, CVE-2022-21626, CVE-2017-9233, CVE-2013-0340, CVE-2022-21624 Multiple vulnerabilities in IBM Java SDK and IBM HTTP Server included with WebSphere Application Server affect HCL Commerce
WebSphere Application Server V8.5.5 Liberty CVE-2022-24839, CVE-2022-22476 Multiple vulnerabilities in WebSphere Application Server Liberty affect HCL Commerce
WebSphere Application Server CVE-2023-23477, CVE-2022-22477, CVE-2022-38712, CVE-2022-34336, CVE-2022-40750, CVE-2022-34165, CVE-2022-35282, CVE-2022-22473 Multiple vulnerabilities in WebSphere Application Server affect HCL Commerce
jQuery CVE-2021-41182, CVE-2021-41183, CVE-2021-41184, CVE-2022-31160 Multiple vulnerabilities in jQuery affect HCL Commerce

Vulnerabilities addressed in HCL Commerce 9.1.11.0

A number of software vulnerability fixes in companion software have been included in 9.1.11.0.
Affected software CVE(s) Vulnerability
WebSphere Application Server and IBM HTTP Server CVE-2022-26377, CVE-2022-28615, CVE-2022-28614, CVE-2022-29404, CVE-2022-31813, CVE-2022-30556 Multiple vulnerabilities in IBM HTTP Server included with WebSphere Application Server affect HCL Commerce
HCL Commerce CVE-2021-27785 HCL Commerce could allow a local attacker to obtain sensitive personal information
WebSphere Application Server V8.5.5 Liberty CVE-2022-22475, CVE-2021-46708, CVE-2022-22393 Multiple vulnerabilities in WebSphere Application Server Liberty affect HCL Commerce
WebSphere Application Server and IBM HTTP Server CVE-2022-22721, CVE-2022-22720, CVE-2022-22365, CVE-2022-22719 Multiple vulnerabilities in IBM HTTP Server and WebSphere Application Server affect HCL Commerce
jackson-databind, Spring Framework CVE-2020-36518, CVE-2022-22950 Multiple vulnerabilities in open source components affect HCL Commerce
Apache Struts 2, org.cyberneko.html CVE-2021-31805, CVE-2022-24839, CVE-2022-2950 Multiple vulnerabilities in open source components affect HCL Commerce

Vulnerabilities addressed in HCL Commerce 9.1.10.0

A number of software vulnerability fixes in companion software have been included in 9.1.10.0.
Affected software CVE(s) Vulnerability
jackson-databind, Spring Framework WS-2021-0616, CVE-2021-22096 Multiple vulnerabilities in open source components affect HCL Commerce
Apache Chainsaw, Apache XercesJ, Spring Framework CVE-2022-23307, CVE-2022-23437, CVE-2021-22060 Multiple vulnerabilities in open source components affect HCL Commerce
corenlp, Netty, node-fetch CVE-2022-0198, CVE-2021-43797, CVE-2022-0235 Multiple vulnerabilities in open source components affect HCL Commerce
WebSphere Application Server and IBM HTTP Server CVE-2021-23450, CVE-2022-23990, CVE-2022-23852, CVE-2022-22822, CVE-2022-22823, CVE-2022-22825, CVE-2021-46143, CVE-2022-22824, CVE-2022-22826, CVE-2022-22827, CVE-2021-45960 Multiple vulnerabilities in IBM HTTP Server and WebSphere Application Server affect HCL Commerce
Apache Log4j CVE-2022-23307, CVE-2022-23302, CVE-2022-23305 Vulnerability in Apache Log4j 1.2 affects HCL Commerce
IBM HTTP Server, IBM Java SDK CVE-2022-25315, CVE-2021-35550, CVE-2022-25313, CVE-2022-21340, CVE-2022-25236, CVE-2021-35603, CVE-2022-25235 Multiple vulnerabilities in IBM Java SDK and IBM HTTP Server included with WebSphere Application Server affect HCL Commerce
WebSphere Application Server CVE-2021-39038 A vulnerability in WebSphere Application Server affects HCL Commerce

Vulnerabilities addressed in HCL Commerce 9.1.9.0

A number of software vulnerability fixes in companion software have been included in 9.1.9.0.
Affected software CVE(s) Vulnerability
HCL Commerce CVE-2021-27751 HCL Commerce is affected by Insufficient Session Expiration vulnerability
WebSphere Application Server CVE-2021-23450, CVE-2022-23990, CVE-2022-23852, CVE-2022-22822, CVE-2022-22823, CVE-2022-22825, CVE-2021-46143, CVE-2022-22824, CVE-2022-22826, CVE-2022-22827, CVE-2021-45960, Multiple vulnerabilities in IBM HTTP Server and WebSphere Application Server affect HCL Commerce
WebSphere Application Server CVE-2021-40438, CVE-2021-45046, CVE-2021-4104, CVE-2021-36090, CVE-2021-38951, CVE-2021-34798, CVE-2021-35517, CVE-2021-35578, CVE-2021-35564, CVE-2021-2369, CVE-2021-39275, CVE-2021-29842 Multiple security vulnerabilities in WebSphere Application Server affect HCL Commerce
Netty All CVE-2021-37136, CVE-2021-37137 Multiple vulnerabilities in Netty All affect HCL Commerce
Multiple open source libraries CVE-2021-3878, CVE-2021-27568, CVE-2021-3869, CVE-2012-0881, CVE-2021-44832, CVE-2021-42550, CVE-2013-4002, CVE-2014-0107, CVE-2009-2625 Multiple vulnerabilities in open source libraries affect HCL Commerce with Elasticsearch

Vulnerabilities addressed in HCL Commerce 9.1.8.1

A number of software vulnerability fixes in companion software have been included in 9.1.8.1.
Affected software CVE(s) Vulnerability
WebSphere Application Server CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 Multiple vulnerabilities in Apache Log4j 2 affect HCL Commerce

Vulnerabilities addressed in HCL Commerce 9.1.8.0

A number of software vulnerability fixes in companion software have been included in 9.1.8.0.
Affected software CVE(s) Vulnerability
WebSphere Application Server CVE-2021-29736 Privilege Escalation vulnerability in WebSphere Application Server affects HCL Commerce
Apache Ant CVE-2021-36373, CVE-2021-36374 Multiple vulnerabilities in Apache Ant affect HCL Commerce
Apache Tomcat CVE-2021-33037 Vulnerability in Apache Tomcat affects HCL Commerce

Vulnerabilities addressed in HCL Commerce 9.1.7.0

A number of software vulnerability fixes in companion software have been included in 9.1.7.0.
Affected software CVE(s) Vulnerability
HCL Commerce CVE-2021-27750 Session termination vulnerability in HCL Commerce
WebSphere Application Server CVE-2020-5016 A vulnerability in WebSphere Application Server affects HCL Commerce
WebSphere Application Server CVE-2020-5258, CVE-2021-20453, CVE-2021-20454, CVE-2021-26296, CVE-2021-2161, CVE-2015-5262, CVE-2011-1498, CVE-2014-3577, CVE-2012-6153, CVE-2021-29754 Multiple vulnerabilities in WebSphere Application Server affect HCL Commerce
Apache Tomcat CVE-2020-11996, CVE-2020-13934, CVE-2021-25122, CVE-2021-25329, CVE-2021-24122, CVE-2020-1935, CVE-2020-13943 Multiple vulnerabilities in Apache Tomcat affects HCL Commerce
Apache PDFBox CVE-2021-27807, CVE-2021-27906 Multiple vulnerabilities in Apache PDFBox affect HCL Commerce
Apache PDFBox CVE-2021-31811, CVE-2021-31812 Multiple security vulnerabilities in Apache PDFBox affect HCL Commerce
CKeditor CVE-2021-26272 Vulnerability in CKeditor affects HCL Commerce

Vulnerabilities addressed in HCL Commerce 9.1.6.0

A number of software vulnerability fixes in companion software have been included in 9.1.6.0.
Affected software CVE(s) Vulnerability
HCL Commerce CVE-2021-27741 XML external entity (XXE) injection vulnerability in HCL Commerce
WebSphere Application Server CVE-2020-4576, CVE-2020-14797, CVE-2020-4949, CVE-2021-20353, CVE-2021-20354, CVE-2020-2773, CVE-2020-14782, CVE-2020-27221, CVE-2020-14781 Multiple vulnerabilities in WebSphere Application Server affects HCL Commerce
Jackson Dataformat CVE-2020-28491 Multiple vulnerabilities in Jackson Dataformat, Netty Handler and Elastic Search affect HCL Commerce
Netty Handler CVE-2020-21290 Multiple vulnerabilities in Jackson Dataformat, Netty Handler and Elastic Search affect HCL Commerce
Elasticsearch CVE-2020-7021 Multiple vulnerabilities in Jackson Dataformat, Netty Handler and Elastic Search affect HCL Commerce
Netty All library CVE-2021-21290 Information disclosure vulnerability in Netty All library affects HCL Commerce
CKEditor CVE-2020-9281, CVE-2018-17960 Cross-site scripting (XSS) vulnerabilities in CKEditor shipped with HCL Commerce

Vulnerabilities addressed in HCL Commerce 9.1.5.0

A number of software vulnerability fixes in companion software have been included in 9.1.5.0.

Vulnerabilities addressed in HCL Commerce 9.1.4.0

A number of software vulnerability fixes in companion software have been included in 9.1.4.0.
Affected software CVE(s) Vulnerability
WebSphere Application Server CVE-2020-4782, CVE-2020-4576 Multiple vulnerabilities in WebSphere Application Server affects HCL Commerce
JUnit4 CVE-2020-15250 Vulnerability in JUnit4 affects HCL Commerce

Vulnerabilities addressed in HCL Commerce 9.1.3.0

A number of software vulnerability fixes in companion software have been included in 9.1.3.0.
Affected software CVE(s) Vulnerability
IBM® Java SDK included with WebSphere Application Server CVE-2020-2601, CVE-2020-14621, CVE-2020-14581, CVE-2020-14579, CVE-2020-14578, CVE-2020-14577, CVE-2020-2590 Security vulnerabilities in IBM® Java SDK included with WebSphere Application Server affect HCL Commerce
WebSphere Application Server CVE-2020-4589, CVE-2020-4643, CVE-2020-4578 Multiple vulnerabilities in WebSphere Application Server affects HCL Commerce