Security Bulletin: IBM Maximo Asset Management is vulnerable to authentication bypass (CVE-2022-40616)

Summary

IBM Maximo Asset Management is vulnerable to authentication bypass.

Vulnerability Details

CVEID:CVE-2022-40616
**DESCRIPTION:**IBM Maximo Asset Management could allow a user to bypass authentication and obtain sensitive information or perform tasks they should not have access to.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236311 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

This vulnerability affects the following versions of the IBM Maximo Asset Management core product.

Product versions affected:

• To determine the core product version, log in and view System Information. The core product version is the “Tivoli’s process automation engine” version. Please consult the Platform Matrix for a list of supported product combinations.

Remediation/Fixes

See Workarounds and Mitigations section.

Workarounds and Mitigations

Before proceeding, ensure that security is configured for all object structures. After the following change is implemented, no access is permitted except through explicitly defined security.
1. Go to the System Properties application and locate the property mxe.int.enableosauth.
2. Set the value for that property to 1 and save.
3. Live refresh the property value.