Lucene search

K
ibmIBM889BDCCC6E7E30B268AC402EC21A286236564E52F51774CD7DBF112BBF5738B7
HistoryMar 31, 2022 - 2:01 a.m.

Security Bulletin: IBM Operations Analytics Predictive Insights is vulnerable due to WebSphere Application Server Information Disclosure vulnerability (CVE-2021-29842)

2022-03-3102:01:29
www.ibm.com
3

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

39.9%

Summary

Websphere Application Server (WAS) is shipped as a component of IBM Operations Analytics Predictive Insights. Information about WAS Information disclosure vulnerability ( CVE-2021-29842 ) which allows a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. This has been published in a security bulletin.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Principal Product and Version(s) Affected Supporting Product and Version(s)
IBM Operations Analytics Predictive Insights-All WebSphere Application Server - 9.0
IBM Operations Analytics Predictive Insights-All WebSphere Application Server - 8.5
IBM Operations Analytics Predictive Insights-Liberty WebSphere Application Server Liberty 17.0.0.3 - 21.0.0.9

Remediation/Fixes

First, from IBM Fix Central download and apply 1.3.6-TIV-PredictiveInsights-el7-x86_64-InterimFix005 . Applying iFix5 will upgrade WebSphere Application Server Liberty to version 21.0.0.8.

Then, upgrade WebSphere Application Server following the recommended steps in security bulletin: WebSphere Application Server is vulnerable to Information Disclosure (CVE-2021-29842)

Workarounds and Mitigations

None

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

39.9%

Related for 889BDCCC6E7E30B268AC402EC21A286236564E52F51774CD7DBF112BBF5738B7