Security Bulletin: The IBM® Engineering Lifecycle Engineering product using IBM WebSphere Application Server traditional is vulnerable to spoofing when using Web Server Plug-ins (CVE-2022-39161)

Summary

When WebSphere Application Server traditional is used with the optionally installed Web Server Plug-ins component, the lack of hostname verification with the Web Plugins could allow an authenticated attacker to conduct spoofing attacks. A man in the middle attacker could conduct an exploit on the traffic as long as the certificate is signed by a trusted issuer. Following IBM® Engineering Lifecycle Engineering product is vulnerable to this attack, it has been addressed in this bulletin: IBM Engineering Test Management

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Remediation/Fixes

This vulnerability affects IBM® Engineering Lifecycle Engineering product mentioned above, which uses IBM WebSphere Application server traditional with Web Server Plug-ins for Web Server Plug-ins versions 8.5 and 9.0.

The fix provided is for the optionally installed Web Server Plug-ins.

If the Product is deployed on one of the above versions, Please follow the instruction given in the following article

Link - <https://www.ibm.com/support/pages/node/6987779&gt;

Workarounds and Mitigations

None