CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
28.9%
Liberty for Java for IBM Cloud is vulnerable to clickjacking through IBM WebSphere Application Server Liberty features mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0, apiDiscovery-1.0, openapi-3.0 or openapi-3.1. This has been addressed.
**CVEID:**CVE-2021-39038 DESCRIPTION: IBM WebSphere Application Server 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.2 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim’s click actions and possibly launch further attacks against the victim. IBM X-Force ID: 213968.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/213968 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)
These vulnerabilities affect all versions of Liberty for Java for IBM Cloud up to and including v3.67.
To upgrade to Liberty for Java for IBM Cloud v3.67-20220303-1119 or higher, you must re-stage or re-push your application
To find the current version of Liberty for Java for IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands:
cf ssh <appname> -c “cat staging_info.yml”
Look for similar lines:
{“detected_buildpack”:“Liberty for Java™ (WAR, liberty-22.0.0_3, buildpack-v3.67-20220303-1119, ibmjdk-1.8.0_sr7-20211025, env)“,”start_command”:“.liberty/initial_startup.rb”}
To re-stage your application using the command-line Cloud Foundry client, use the following command:
cf restage <appname>
To re-push your application using the command-line Cloud Foundry client, use the following command:
cf push <appname>
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | these_vulnerabilities_affect | any | cpe:2.3:a:ibm:these_vulnerabilities_affect:any:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
28.9%