Lucene search

IBMA4106DF87FB0E7F11FB91CBD6A7D9826AA916F07270BC7256FE50CB208AA464B

HistoryJul 21, 2023 - 12:37 p.m.

Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to SOAPAction spoofing when processing JAX-WS Web Services requests (CVE-2022-38712)

2023-07-2112:37:30

www.ibm.com

ibm

app connect enterprise

integration bus

soapaction

spoofing

jax-ws

web services

vulnerability

cve-2022-38712

ibm websphere application server

apar ph49111

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

26.3%

JSON

Summary

IBM App Connect Enterprise and IBM Integration Bus are vulnerable to SOAPAction spoofing when processing JAX-WS Web Services requests (CVE-2022-38712). The fix includes the IBM Websphere Application Server APAR PH49111

Vulnerability Details

CVEID:CVE-2022-38712
**DESCRIPTION:**IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Web services could allow a man-in-the-middle attacker to conduct SOAPAction spoofing to execute unwanted or unauthorized operations. IBM X-Force ID: 234762.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/234762 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM App Connect Enterprise	12.0.1.0 - 12.0.7.0
IBM App Connect Enterprise	11.0.0.0 - 11.0.0.19
IBM Integration Bus	10.0.0.0 - 10.0.0.26

Remediation/Fixes

IBM strongly recommends addressing the vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise and IBM Integration Bus

Product(s)

Version(s)

APAR

Remediation / Fix

—|—|—|—

IBM App Connect Enterprise

v12.0.1.0 - v12.0.7.0

IT42706

Interim fix for APAR (IT42706) is available from

IBM Fix Central

IBM App Connect Enterprise

v11.0.0.0 - v11.0.0.19

IT42706

Interim fix for APAR (IT42706) is available from

IBM Fix Central

IBM Integration Bus

v10.0.0.0 - v10.0.0.26

IT42706

Interim fix for APAR (IT42706) is available from

IBM Fix Central

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseRange12.0.1.0≥

ibmapp_connect_enterpriseRange≤12.0.7.0

ibmapp_connect_enterpriseRange11.0.0.0≥

ibmapp_connect_enterpriseRange≤11.0.0.19

ibmintegration_busRange10.0.0.0≥

ibmintegration_busRange≤10.0.0.26

VendorProductVersionCPE
ibmapp_connect_enterprise*cpe:2.3:a:ibm:app_connect_enterprise:*:*:*:*:*:*:*:*
ibmintegration_bus*cpe:2.3:a:ibm:integration_bus:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	app_connect_enterprise	*	cpe:2.3:a:ibm:app_connect_enterprise::::::::
ibm	integration_bus	*	cpe:2.3:a:ibm:integration_bus::::::::

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

26.3%

JSON

Related for A4106DF87FB0E7F11FB91CBD6A7D9826AA916F07270BC7256FE50CB208AA464B