Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to Identity Spoofing (CVE-2022-22476)

Summary

Liberty for Java for IBM Cloud is vulnerable to identity spoofing with the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 or appSecurity-4.0 feature enabled. This has been addressed.

Vulnerability Details

CVEID:CVE-2022-22476
**DESCRIPTION:**IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request. IBM X-Force ID: 225604.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225604 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

These vulnerabilities affect all versions of Liberty for Java for IBM Cloud up to and including v3.71.

Remediation/Fixes

To upgrade to Liberty for Java for IBM Cloud v3.72-20220720-1509 or higher, you must re-stage or re-push your application

To find the current version of Liberty for Java for IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands:

cf ssh <appname> -c “cat staging_info.yml”

Look for similar lines:

{“detected_buildpack”:“Liberty for Java™ (WAR, liberty-xxx, v3.72-20220720-1509, xxx, env)“,”start_command”:“.liberty/initial_startup.rb”}

To re-stage your application using the command-line Cloud Foundry client, use the following command:

cf restage <appname>

To re-push your application using the command-line Cloud Foundry client, use the following command:

cf push <appname>

Workarounds and Mitigations

None