Security Bulletin: The IBM® Engineering Lifecycle Management products recommendation for IBM WebSphere Application Server Liberty vulnerability to Identity Spoofing (CVE-2022-22475)

Summary

On applications on IBM WebSphere Application Server Liberty, an authenticated user could use a brute force attack to extract an encryption key from LTPA token and through a series of involved steps could conduct an attack whereby they replace their user name with that of another user in the LTPA token.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Products

|

Version

—|—

Jazz Foundation

|

CLM 6.0.6.1, CLM 6.0.6, ELM 7.0.2, ELM 7

BM Engineering Workflow Management

|

EWM 7.0.2, EWM 7.0.1, RTC 6.0.6.1, EWM 7

IBM Engineering Requirements Management DOORS Next

|

DOORS Next 7.0.2, DOORS Next 7.0, DOORS

IBM Common Licensing

|

LKS 9.0, Agent 9.0, ART 9.0, Client 9.0

Global Configuration Management

|

All

Remediation/Fixes

IBM® Engineering Lifecycle Management products do not require any additional fix and recommend users to follow the resolution steps given in:

Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22475)

Workarounds and Mitigations

None