Lucene search

K
ibmIBMD1D933E74F951886FE0E0B2DACA0425761D59893EFD0422D5F9C96FC6CE42B06
HistoryDec 07, 2022 - 1:43 a.m.

Security Bulletin: IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On uses IBM HTTP Server that is vulnerable to denial of service due to libexpat (CVE-2022-43680, CVE-2013-0340, CVE-2017-9233)

2022-12-0701:43:40
www.ibm.com
27
ibm websphere application server
denial of service
libexpat vulnerability
ibm security access manager for enterprise single sign-on

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.3

Confidence

High

EPSS

0.005

Percentile

76.9%

Summary

IBM HTTP Server used by IBM WebSphere Application Server is vulnerable to denial of service due to libexpat. This has been addressed.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s) Version(s)
IBM Security Access Manager for Enterprise Single-Sign On 8.2.0, 8.2.1, 8.2.2

Remediation/Fixes

IBM strongly encourages customers to update their systems rapidly.

Principal Product and Version(s) Affected Supporting Product and Version Affected Supporting Product Security Bulletin
IBM Security Access Manager for Enterprise Single Sign-On 8.2.0 IBM WebSphere Application Server 7.0 Security Bulletin: IBM HTTP Server is vulnerable to denial of service due to libexpat (CVE-2022-43680, CVE-2013-0340, CVE-2017-9233)
IBM Security Access Manager for Enterprise Single Sign-On 8.2.1 IBM WebSphere Application Server 7.0, 8.5 Security Bulletin: IBM HTTP Server is vulnerable to denial of service due to libexpat (CVE-2022-43680, CVE-2013-0340, CVE-2017-9233)
IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 IBM WebSphere Application Server 8.5 Security Bulletin: IBM HTTP Server is vulnerable to denial of service due to libexpat (CVE-2022-43680, CVE-2013-0340, CVE-2017-9233)

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsecurity_access_manager_for_enterprise_single_sign-onMatch8.2.0
OR
ibmsecurity_access_manager_for_enterprise_single_sign-onMatch8.2.1
OR
ibmsecurity_access_manager_for_enterprise_single_sign-onMatch8.2.2
VendorProductVersionCPE
ibmsecurity_access_manager_for_enterprise_single_sign-on8.2.0cpe:2.3:a:ibm:security_access_manager_for_enterprise_single_sign-on:8.2.0:*:*:*:*:*:*:*
ibmsecurity_access_manager_for_enterprise_single_sign-on8.2.1cpe:2.3:a:ibm:security_access_manager_for_enterprise_single_sign-on:8.2.1:*:*:*:*:*:*:*
ibmsecurity_access_manager_for_enterprise_single_sign-on8.2.2cpe:2.3:a:ibm:security_access_manager_for_enterprise_single_sign-on:8.2.2:*:*:*:*:*:*:*

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.3

Confidence

High

EPSS

0.005

Percentile

76.9%