IBM88C568C22335A5F6B364F6A4C6DF92857970A71C42AD8B86858F3A8108E5C070Security Bulletin: IBM MQ is affected by an identity spoofing issue in IBM WebSphere Application Server Liberty (CVE-2022-22475)
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
19.6%
Summary
An identity spoofing issue was found within IBM WebSphere Application Server Liberty, which IBM MQ uses to provide WebConsole and REST API functionality.
Vulnerability Details
CVEID:CVE-2022-22475
**DESCRIPTION:**IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5 are vulnerable to identity spoofing by an authenticated user. IBM X-Force ID: 225603.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225603 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM MQ | 9.1 LTS |
| IBM MQ | 9.2 LTS |
| IBM MQ | 9.1 CD |
| IBM MQ | 9.2 CD |
Remediation/Fixes
This issue was resolved under APAR IT40979.
IBM MQ Version 9.1 LTS
IBM MQ Version 9.2 LTS
IBM MQ Version 9.1 CD and Version 9.2 CD
Workarounds and Mitigations
None
Affected configurations
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
19.6%