Lucene search

K
ibmIBM7BA0DB6875E29350E1C9C213519005687136DD7DE1FCD9EFE76C49D44EAD5DFD
HistoryFeb 24, 2022 - 6:19 a.m.

Security Bulletin: IBM PowerVM Novalink could allow a remote authenticated attacker to conduct an LDAP injection.

2022-02-2406:19:03
www.ibm.com
4

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

46.4%

Summary

IBM PowerVM Novalink, which consumes IBM WebSphere Application Server Liberty 21.0.0.10, could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and could result in in granting permission to unauthorized resources. IBM strongly recommends addressing the vulnerability now by applying the fix below which provides upgrade to IBM WebSphere Application Server Liberty to 22.0.0.2.

Vulnerability Details

CVEID:CVE-2021-39031
**DESCRIPTION:**IBM WebSphere Application Server - Liberty 17.0.0.3 through 22.0.0.1 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and could result in in granting permission to unauthorized resources. IBM X-Force ID: 213875.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/213875 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM PowerVM NovaLink 1.0.0.16
IBM PowerVM NovaLink 2.0.0.0
IBM PowerVM NovaLink 2.0.1
IBM PowerVM NovaLink 2.0.2
IBM PowerVM NovaLink 2.0.2.1

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading based on the table below.

Product Version Remediation
IBM PowerVM NovaLink 1.0.0.16 Update to pvm-novalink 1.0.0.16-220215
IBM PowerVM NovaLink 2.0.0.0 Update to pvm-novalink 2.0.1-220215 or later
IBM PowerVM NovaLink 2.0.1 Update to pvm-novalink 2.0.1-220215 or later
IBM PowerVM NovaLink 2.0.2 Update to pvm-novalink 2.0.2.1-220215 or later
IBM PowerVM NovaLink 2.0.2.1 Update to pvm-novalink 2.0.2.1-220215

Workarounds and Mitigations

None

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

46.4%

Related for 7BA0DB6875E29350E1C9C213519005687136DD7DE1FCD9EFE76C49D44EAD5DFD