Lucene search

IBMC2F5ACF59CB85825FD37AE82F3452F9374CA594BAA9E53F7219D309FB8EF7480

HistoryNov 28, 2022 - 8:53 p.m.

Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Google protobuf-java (CVE-2022-3171, CVE-2022-3509)

2022-11-2820:53:11

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

31.5%

JSON

Summary

There is a vulnerability in the Google protobuf-java library used by IBM WebSphere Application Server Liberty with the grpc-1.0 or grpcClient-1.0 feature enabled. This has been addressed.

Vulnerability Details

CVEID:CVE-2022-3171
**DESCRIPTION:**protobuf-java core and lite are vulnerable to a denial of service, caused by a flaw in the parsing procedure for binary and text format data. By sending non-repeated embedded messages with repeated or unknown fields, a remote authenticated attacker could exploit this vulnerability to cause long garbage collection pauses.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238394 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-3509
**DESCRIPTION:**protobuf-java core and lite are vulnerable to a denial of service, caused by a flaw in the parsing procedure for textformat data. By sending non-repeated embedded messages with repeated or unknown fields, a remote authenticated attacker could exploit this vulnerability to cause long garbage collection pauses.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239915 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM WebSphere Application Server Liberty	21.0.0.2 - 22.0.0.12

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the APAR PH50342. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature.

For IBM WebSphere Application Server Liberty 21.0.0.2 - 22.0.0.12 using the grpc-1.0 or grpcClient-1.0 feature(s):
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH50342
--OR–
· Apply Liberty Fix Pack 22.0.0.13 or later (targeted availability 4Q2022).

Additional interim fixes may be available and linked off the interim fix download page.

Workarounds and Mitigations

None

CPENameOperatorVersion
websphere application servereqany

CPE	Name	Operator	Version
	websphere application server	eq	any

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

31.5%

JSON

Related for C2F5ACF59CB85825FD37AE82F3452F9374CA594BAA9E53F7219D309FB8EF7480