Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM035A4DC9711ABDCA09E2983041FEB521F5E3BAD3831962FD1544F4619BD3201D
HistoryAug 03, 2022 - 4:03 p.m.

Security Bulletin: IBM DataPower Gateway does not force a Gateway Peering password change

2022-08-0316:03:32
www.ibm.com
7

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

39.1%

JSON

Summary

The DataPower UI does not notify customers of any gateway-peering instance that uses the system default password. The UI will now warn if the password is not changed.

Vulnerability Details

CVEID:CVE-2022-31776
**DESCRIPTION:**IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.8, 10.5.0.0, and 2018.4.1.0 through 2018.4.1.21 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 228433.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228433 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM DataPower Gateway 10.5.0 10.5.0.0
IBM DataPower Gateway V10CD 10.0.2.0 - 10.0.4.0
IBM DataPower Gateway 10.0.1 10.0.1.0 - 10.0.1.8
IBM DataPower Gateway 2018.4.1.0 - 2018.4.1.21

Remediation/Fixes

Affected Product Fixed in version APAR
IBM DataPower Gateway 10.5.0.0 10.5.0.1 IT41462
IBM DataPower Gateway V10CD 10.5.0.1 IT41462
IBM DataPower Gateway 10.0.1 10.5.0.1 IT41462
IBM DataPOwer Gateway 2018.4.1 10.5.0.1 IT41462

Customers using IBM DataPower Gateway 10.0.1 or 2108.4.1 may obtain the fix by upgrading to version 10.5.0.1; The fix will be available in a future fixpack on those releases.

Workarounds and Mitigations

None

Related

cnvd 1
prion 1
cve 1
cnvd
cnvd
IBM DataPower Gateway Server-Side Request Forgery Vulnerability (CNVD-2022-56971)
2022-08-04 00:00:00
prion
prion
Server side request forgery (ssrf)
2022-08-01 11:15:00
cve
cve
CVE-2022-31776
2022-08-01 11:15:00

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

39.1%

JSON
Related for 035A4DC9711ABDCA09E2983041FEB521F5E3BAD3831962FD1544F4619BD3201D
cnvd1prion1cve1