Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM886A3CB0DE0D6C29B21CE590118B3018422EEAF063F88FB448942638DC6AF490
HistoryNov 21, 2022 - 9:27 p.m.

Security Bulletin: IBM DataPower Gateway does not invalidate active sessions on a password change (CVE-2022-40228)

2022-11-2121:27:17
www.ibm.com
25
ibm datapower gateway
session invalidation
password change
cve-2022-40228
security bulletin
vulnerability
fix
version
mitigation

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

19.9%

JSON

Summary

If a user password is changed, IBM DataPower Gateway does not immediately invalidate existing active sessions that were created with the old password. This means that a session created using a compromised password could continue to operate after the password has been changed until the session expires.

Vulnerability Details

CVEID:CVE-2022-40228
**DESCRIPTION:**IBM DataPower Gateway does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235527 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM DataPower Gateway V10CD 10.0.3.0 - 10.0.4.0
IBM DataPower Gateway 10.0.1 10.0.1.0 - 10.0.1.9
IBM DataPower Gateway 2018.4.1 2018.4.1.0 - 2018.4.1.22
IBM DataPower Gateway 10.5.0 10.5.0.0 - 10.5.0.2

Remediation/Fixes

Affected Product Fixed in version APAR
IBM DataPower Gateway V10CD 10.0.4.0-SR2 IT42101
IBM DataPower Gateway 10.0.1 10.0.1.10 IT42101
IBM DataPower Gateway 2018.4.1 2018.4.1.23 IT42101

This issue will be addressed in a future fixpack for 10.5.0

Workarounds and Mitigations

After changing a password due to suspected compromise, reloading the gateway will invalidate all current sessions.

Affected configurations

Vulners
Node
ibmdatapower_gatewayRange10.0.3.0
OR
ibmdatapower_gatewayRange10.0.4.0
OR
ibmdatapower_gatewayRange10.0.1.0
OR
ibmdatapower_gatewayRange10.0.1.9
OR
ibmdatapower_gatewayRange2018.4.1.0
OR
ibmdatapower_gatewayRange2018.4.1.22
OR
ibmdatapower_gatewayRange10.5.0.0
OR
ibmdatapower_gatewayRange10.5.0.2

Related

cve 1
prion 1
nvd 1
cvelist 1
cve
cve
CVE-2022-40228
2022-11-22 19:15:17
prion
prion
Session fixation
2022-11-22 19:15:00
nvd
nvd
CVE-2022-40228
2022-11-22 19:15:17
cvelist
cvelist
CVE-2022-40228 IBM DataPower Gateway session fixation
2022-11-22 18:52:13

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

19.9%

JSON
Related for 886A3CB0DE0D6C29B21CE590118B3018422EEAF063F88FB448942638DC6AF490
cve1prion1nvd1cvelist1