Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476)

Summary

There is a vulnerability in the version of IBM WebSphere Application Server Liberty that was included in IBM SPSS Analytic Server. This vulnerability has been addressed. [CVE-2022-22476]

Vulnerability Details

CVEID:CVE-2022-22476
**DESCRIPTION:**IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request. IBM X-Force ID: 225604.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225604 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by applying the following fixes.

After Analytic Server 3.2.0.x(include 3.2.0), Please use wlp-webProfile8-22.0.0.9.zip

Before Analytic Server 3.2.0.x, Please use wlp-webProfile7-22.0.0.9.zip

<https://www.ibm.com/support/pages/node/6612515&gt;

The recommended solutions include upgrading to IBM SPSS Analytic Server 3.4.0 IFIX as above, or upgrading your IBM WebSphere Application Server Liberty version as described in the WebSphere Application Server security bulletin.

Workarounds and Mitigations

None