Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMD6CDEC54C47D86669885E154209DC9A3F19F539EA7F4F1E3C92D56F8F33E8B9D
HistoryMay 17, 2022 - 2:48 p.m.

Security Bulletin: IBM DataPower Gateway vulnerable to temporary DoS

2022-05-1714:48:39
www.ibm.com
7
ibm
datapower gateway
temporary dos
v10cd
10.0.2.0
10.0.3.0
10.0.4.0
10.0.1.0
10.0.1.6
2018.4.1.0
2018.4.1.19
it39994

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

33.5%

JSON

Summary

IBM has addressed the CVEs

Vulnerability Details

CVEID:CVE-2022-22356
**DESCRIPTION:**IBM MQ Appliance 9.2 CD and 9.2 LTS could allow an attacker to enumerate account credentials due to an observable discrepancy in valid and invalid login attempts. IBM X-Force ID: 220487.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220487 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-22355
**DESCRIPTION:**IBM MQ Appliance 9.2 CD and 9.2 LTS are vulnerable to a denial of service in the Login component of the application which could allow an attacker to cause a drop in performance.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220486 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM DataPower Gateway V10CD 10.0.2.0, 10.0.3.0, 10.0.4.0
IBM DataPower Gateway 10.0.1 10.0.1.0-10.0.1.6
IBM DataPower Gateway 2018.4.1 2018.4.1.0-2018.4.1.19

Remediation/Fixes

Affected Product Fixed in version APAR
IBM DataPower Gateway V10CD 10.0.4.0-SR1 IT39994
IBM DataPower Gateway 10.0.1 10.0.1.7 IT39994
IBM DataPower Gateway 2018.4.1 2018.4.1.20 IT39994

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmdatapower_gatewayMatch10.0.4.0
OR
ibmdatapower_gatewayRange10.0.1.0
OR
ibmdatapower_gatewayRange10.0.1.6
OR
ibmdatapower_gatewayRange2018.4.1.0
OR
ibmdatapower_gatewayRange2018.4.1.19
VendorProductVersionCPE
ibmdatapower_gateway10.0.4.0cpe:2.3:a:ibm:datapower_gateway:10.0.4.0:*:*:*:*:*:*:*
ibmdatapower_gateway*cpe:2.3:a:ibm:datapower_gateway:*:*:*:*:*:*:*:*

Related

ibm 1
prion 2
cve 2
cvelist 2
veracode 2
nvd 2
ibm
ibm
Security Bulletin: IBM MQ Appliance affected by account enumeration and denial of service vulnerabilities (CVE-2022-22356 and CVE-2022-22355)
2022-04-04 11:38:55
prion
prion
Design/Logic Flaw
2022-04-05 17:15:00
Design/Logic Flaw
2022-04-05 17:15:00
cve
cve
CVE-2022-22355
2022-04-05 17:15:08
CVE-2022-22356
2022-04-05 17:15:08
cvelist
cvelist
CVE-2022-22355
2022-04-05 16:45:21
CVE-2022-22356
2022-04-05 16:45:22
veracode
veracode
Denial Of Service (DoS)
2022-04-06 03:10:57
Access Control Bypass
2022-04-07 05:00:44
nvd
nvd
CVE-2022-22355
2022-04-05 17:15:08
CVE-2022-22356
2022-04-05 17:15:08

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

33.5%

JSON
Related for D6CDEC54C47D86669885E154209DC9A3F19F539EA7F4F1E3C92D56F8F33E8B9D
ibm1prion2cve2cvelist2veracode2nvd2