IBM7EF70E8A323CCCA40FEC4034D4017D872AC632029EC97CDDB02C9000B5D193C7Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to Slowloris HTTP DOS attack (CVE-2022-35639)
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
35.4%
Summary
IBM Sterling Partner Engagement Manager is vulnerable to Slowloris attack is a type of denial-of-service (DoS) attack which targets threaded web servers. The issue has been addressed.
Vulnerability Details
CVEID:CVE-2022-35639
**DESCRIPTION:**IBM Sterling Partner Engagement Manager do not limit the length of a connection which could cause the server to become unresponsive.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230932 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Sterling Partner Engagement Manager Standard Edition | 6.1 |
| IBM Sterling Partner Engagement Manager Standard Edition | 6.2 |
| IBM Sterling Partner Engagement Manager on Cloud / SaaS | 22.2 |
Remediation/Fixes
| Product | Version | Remediation / Link |
|---|---|---|
| IBM Sterling Partner Engagement Manager Standard Edition | 6.1 | 6.1.2.5 / http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.1.2.5&source=SAR |
| IBM Sterling Partner Engagement Manager Standard Edition | 6.2 | 6.2.0.3 / http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+Sterling+Partner+Engagement+Manager+Software&fixids=IBM_PEM_Standard_6.2.0.3&source=SAR |
| IBM Sterling Partner Engagement Manager on Cloud / SaaS | 22.2 | 22.2.1 / us.icr.io/gold/pem:22.2.1 |
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | partner_engagement_manager | 6.1 | cpe:2.3:a:ibm:partner_engagement_manager:6.1:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
35.4%