Lucene search

IBMEEDF3970F66A62F2338E990A3E4A81BC7D50DF58E9E9DFAB51FFA8DFF42AC5C8

HistoryJul 29, 2022 - 8:34 a.m.

Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty, with the adminCenter-1.0 feature configured, could allow an authenticated user to issue a request to obtain the status . (CVE-2022-22393)

2022-07-2908:34:52

www.ibm.com

ibm powervm novalink

ibm websphere application server liberty

authenticated user

http/https ports

vulnerability

upgrade

cve-2022-22393

ibm x-force id 222078

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

23.7%

JSON

Summary

IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty 1, with the adminCenter-1.0 feature configured, could allow an authenticated user to issue a request to obtain the status of HTTP/HTTPS ports which are accessible by the application server.

Vulnerability Details

CVEID:CVE-2022-22393
**DESCRIPTION:**IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.5 , with the adminCenter-1.0 feature configured, could allow an authenticated user to issue a request to obtain the status of HTTP/HTTPS ports which are accessible by the application server. IBM X-Force ID: 222078.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222078 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
PowerVM Novalink	2.0
PowerVM Novalink	2.0.1
PowerVM Novalink	2.0.2
PowerVM Novalink	2.0.2.1
PowerVM Novalink	2.0.3

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading based on the table below.

Product	Version	Remediation
PowerVM Novalink	2.0.0.0	Update to pvm-novalink 2.0.1-220617
PowerVM Novalink	2.0.1	Update to pvm-novalink 2.0.1-220617
PowerVM Novalink	2.0.2	Update to pvm-novalink 2.0.3-220627
PowerVM Novalink	2.0.2.1	Update to pvm-novalink 2.0.3-220627
PowerVM Novalink	2.0.3	Update to pvm-novalink 2.0.3-220627

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmpowervmMatch2.0.1

ibmpowervmMatch2.0.3

VendorProductVersionCPE
ibmpowervm2.0.1cpe:2.3:o:ibm:powervm:2.0.1:*:*:*:*:*:*:*
ibmpowervm2.0.3cpe:2.3:o:ibm:powervm:2.0.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	powervm	2.0.1	cpe:2.3:o:ibm:powervm:2.0.1:::::::*
ibm	powervm	2.0.3	cpe:2.3:o:ibm:powervm:2.0.3:::::::*

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

23.7%

JSON

Related for EEDF3970F66A62F2338E990A3E4A81BC7D50DF58E9E9DFAB51FFA8DFF42AC5C8