IBM447FEC42028C43695F236913B9B65B6EA35AD629445FF5214ABFD4DAF4A821D8Security Bulletin: InfoSphere Identity Insight vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.042 Low
EPSS
Percentile
92.2%
Summary
InfoSphere Identity Insight includes IBM WebSphere Application Server Liberty, which has a vulnerability in the Apache CXF library when jaxws-2.2 feature is enabled. This has been addressed.
Vulnerability Details
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM InfoSphere Identity Insight | 9.1 |
| IBM InfoSphere Identity Insight | 9.0 |
| IBM InfoSphere Identity Insight | 10.0 |
Remediation/Fixes
Per the original bulletin for CVE-2022-46364 (<https://www.ibm.com/support/pages/security-bulletin-ibm-websphere-application-server-liberty-vulnerable-server-side-request-forgery-due-apache-cxf-cve-2022-46364>), this issue can be resolved by upgrading WebSphere Liberty Profile to version 23.0.0.2 or later. Identity Insight customers are advised to update to version 23.0.0.2. Instructions for this update are found in the tech note at <https://www.ibm.com/support/pages/node/6960567>.
Workarounds and Mitigations
None
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| infosphere identity insight | eq | 9.0 | |
| infosphere identity insight | eq | 9.1 | |
| infosphere identity insight | eq | 10.0 |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.042 Low
EPSS
Percentile
92.2%