IBM39057F5362908D7CA9F0BF706A883B9C400EE4A6084078F65B97BCBD160E7229Security Bulletin: Vulnerabilities in IBM WebSphere Liberty affects IBM InfoSphere Global Name Management (CVE-2022-22475, CVE-2022-22476)
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
39.0%
Summary
The IBM WebSphere Liberty used in IBM InfoSphere Global Name Management is vulnerable to identity spoofing by an authenticated user. This issue only affects ENS, a part of GNM 6 installed by a small minority of GNM customers. For GNM customers not using ENS, there is no vulnerability.
Vulnerability Details
CVEID:CVE-2022-22475
**DESCRIPTION:**IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5 are vulnerable to identity spoofing by an authenticated user. IBM X-Force ID: 225603.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225603 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L)
CVEID:CVE-2022-22476
**DESCRIPTION:**IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request. IBM X-Force ID: 225604.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225604 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM InfoSphere Global Name Management | 6.0 |
| IBM InfoSphere Global Name Management | 6.0 |
Remediation/Fixes
This bulletin is for two issues in WebSphere Liberty described in CVE-2022-22475 and CVE-2022-22476, both related to identity spoofing. These issues only affect ENS, a part of GNM 6 installed by a small minority of GNM customers.
- Per the original bulletin for CVE-2022-22475 (<https://www.ibm.com/support/pages/security-bulletin-ibm-websphere-application-server-liberty-vulnerable-identity-spoofing-cve-2022-22475>), the first issue can be resolved by upgrading WebSphere Liberty to version 22.0.0.6 or later.
- Per the original bulletin for CVE-2022-22476 (<https://www.ibm.com/support/pages/security-bulletin-ibm-websphere-application-server-liberty-vulnerable-identity-spoofing-cve-2022-22476>), the second issue can be resolved by upgrading WebSphere Liberty to version 22.0.0.8 or later.
GNM version 6 customers using Enterprise Name Search (a separate installation from regular GNM, and one which does not apply to most customers) can update ENS using the files and instructions in GNM 6 interim fix 14, available at IBM Fix Central. This updates the WebSphere Liberty in ENS to version 22.0.0.13.
For non-ENS GNM users, there is no vulnerability, and no remediation is required.
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| infosphere global name management | eq | 6.0 |
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
39.0%