Security Bulletin: IBM WebSphere Application Server traditional container is vulnerable to information disclosure (CVE-2022-43917)

Summary

IBM WebSphere Application Server traditional container is vulnerable to information disclosure. This affects only the containerized version of WebSphere Application Server traditional. This has been addressed.

Vulnerability Details

CVEID:CVE-2022-43917
**DESCRIPTION:**IBM WebSphere Application Server traditional container uses weaker than expected cryptographic keys that could allow an attacker to decrypt sensitive information. This affects only the containerized version of WebSphere Application Server traditional.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241045 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by following the instructions below to update container images created prior to January 23, 2023.

For IBM WebSphere Application Server traditional container:

For V9.0.0.9 through 9.0.5.14:
· Update all container images created prior to January 23, 2023 to container image version 9.0.5.14 by following the instructions for Checking the Image Version and Updatng to the Latest Version.
--OR–
· Update container images to version 9.0.5.15 or later (targeted availability 1Q2023).

For V8.5.5.17 through 8.5.5.22:
· Update all container images created prior to January 23, 2023 to container image version 8.5.5.22 by following the instructions for Checking the Image Version and Updating to the Latest Version.
--OR–
· Update container images to version 8.5.5.23 or later (targeted availability 1Q2023).

Workarounds and Mitigations

None