IBM99625F788A52B319118C061B7096FBA54E9DBEDFC2418B411D9359143080EF92Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to Identity Spoofing (CVE-2022-22475)
0.001 Low
EPSS
Percentile
19.2%
Summary
Liberty for Java for IBM Cloud is vulnerable to identity spoofing with the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 or appSecurity-4.0 feature enabled. This has been addressed.
Vulnerability Details
CVEID:CVE-2022-22475
**DESCRIPTION:**IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5 are vulnerable to identity spoofing by an authenticated user. IBM X-Force ID: 225603.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225603 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
These vulnerabilities affect all versions of Liberty for Java for IBM Cloud up to and including v3.69.
Remediation/Fixes
To upgrade to Liberty for Java for IBM Cloud v3.70-20220525-0737 or higher, you must re-stage or re-push your application
To find the current version of Liberty for Java for IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands:
cf ssh <appname> -c “cat staging_info.yml”
Look for similar lines:
{“detected_buildpack”:“Liberty for Java™ (WAR, liberty-22.0.0_3, v3.70-20220525-0737, ibmjdk-1.8.0_sr7-20211025, env)“,”start_command”:“.liberty/initial_startup.rb”}
To re-stage your application using the command-line Cloud Foundry client, use the following command:
cf restage <appname>
To re-push your application using the command-line Cloud Foundry client, use the following command:
cf push <appname>
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| liberty for java for ibm cloud | eq | any |
Related
0.001 Low
EPSS
Percentile
19.2%