Lucene search

IBM33E5941C71053A383C961E4688C2BCC181374884D58CD46F44DDA44197E34928

HistoryDec 06, 2022 - 4:11 p.m.

Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM Tivoli Business Service Manager, is vulnerable to Server-Side Request Forgery (CVE-2022-35282)

2022-12-0616:11:35

www.ibm.com

ibm

websphere

tivoli business

server-side request forgery

vulnerability

cve-2022-35282

security bulletin

fix

interim fix

fix pack

CVSS3

6.5

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

17.7%

JSON

Summary

IBM WebSphere Application Server is bundled as a component of the IBM Tivoli Business Service Manager dashboard. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.

Vulnerability Details

CVEID:CVE-2022-35282
**DESCRIPTION:**IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, an attacker with local network access could exploit this vulnerability to obtain sensitive data.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230809 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Tivoli Business Service Manager	6.2.0

Remediation/Fixes

Principal Product and Version(s)	Affected Supporting Product and Version
IBM Tivoli Business Service Manager 6.2.0	IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the APAR PH47385.

Security Bulletin: IBM WebSphere Application Server is vulnerable to Server-Side Request Forgery (CVE-2022-35282)

For IBM WebSphere Application Server traditional:

For V9.0.0.0 through 9.0.5.13:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH47385
--OR–
· Apply Fix Pack 9.0.5.14 or later (targeted availability 4Q2022).

For V8.5.0.0 through 8.5.5.22:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH47385
--OR–
· Apply Fix Pack 8.5.5.23 or later (targeted availability 1Q2023).

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmtivoli_business_service_managerMatch6.2.0

VendorProductVersionCPE
ibmtivoli_business_service_manager6.2.0cpe:2.3:a:ibm:tivoli_business_service_manager:6.2.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	tivoli_business_service_manager	6.2.0	cpe:2.3:a:ibm:tivoli_business_service_manager:6.2.0:::::::*

CVSS3

6.5

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

17.7%

JSON

Related for 33E5941C71053A383C961E4688C2BCC181374884D58CD46F44DDA44197E34928