Lucene search

K
ibmIBM11EC3D7CD4F5439B811617F3C943BF54EB33675DC25219644BED3D868E6EE2D7
HistoryMar 09, 2023 - 2:58 a.m.

Security Bulletin: Multiple Vulnerabilities in IBM HTTP Server affect WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On

2023-03-0902:58:28
www.ibm.com
28
ibm http server
ibm websphere application server
ibm security access manager

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8

Confidence

High

EPSS

0.077

Percentile

94.3%

Summary

There are multiple vulnerabilities in the IBM HTTP Server, which is used by IBM WebSphere Application Server, due to the included Apache HTTP Server and Apache Portable Runtime: CVE-2022-28331, CVE-2022-36760, CVE-2022-37436, CVE-2006-20001, and CVE-2022-25147. IBM WebSphere Application Server is shipped with IBM Security Access Manager for Enterprise Single Sign-On. Information about security vulnerabilities affecting IBM WebSphere Application Server has been published in a security bulletin.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s) Version(s)
IBM Security Access Manager for Enterprise Single-Sign On 8.2.1, 8.2.2

Remediation/Fixes

IBM encourages customers to update their systems promptly.

Principal Product and Version(s) Affected Supporting Product and Version Affected Supporting Product Security Bulletin
IBM Security Access Manager for Enterprise Single Sign-On 8.2.1 IBM WebSphere Application Server 8.5 Security Bulletin: IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server and Apache Portable Runtime
IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 IBM WebSphere Application Server 8.5 Security Bulletin: IBM HTTP Server is vulnerable to multiple vulnerabilities due to the included Apache HTTP Server and Apache Portable Runtime

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsecurity_access_manager_for_enterprise_single_sign-onMatch8.2.1
OR
ibmsecurity_access_manager_for_enterprise_single_sign-onMatch8.2.2
VendorProductVersionCPE
ibmsecurity_access_manager_for_enterprise_single_sign-on8.2.1cpe:2.3:a:ibm:security_access_manager_for_enterprise_single_sign-on:8.2.1:*:*:*:*:*:*:*
ibmsecurity_access_manager_for_enterprise_single_sign-on8.2.2cpe:2.3:a:ibm:security_access_manager_for_enterprise_single_sign-on:8.2.2:*:*:*:*:*:*:*

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8

Confidence

High

EPSS

0.077

Percentile

94.3%