IBM WebSphere Application Server Vulnerability Addressed

An IBM WebSphere Application Server Vulnerability has been addressed.

CVE-2022-22476

On July 8, 2022, The National Vulnerability Database published that IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request. It was given a score of 8.8 (High).

See IBM X-Force ID: 225604

On July 27 IBM published the following recommendations and fixes:

For IBM WebSphere Application Server Liberty 17.0.0.3 – 22.0.0.7 using the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 or appSecurity-4.0 feature(s):
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH47867
–OR–
· Apply Liberty Fix Pack 22.0.0.8 or later (targeted availability 3Q2022).
Additional interim fixes may be available and linked off the interim fix download page.

It is strongly recommended that you address this IBM WebSphere Application Server Vulnerability right away. The fix pack that contains the APAR PH47867 is currently available.

In some cases, Liberty uses features that are not listed in the server.xml file. If you’re not sure whether your Liberty server has one of the specified security  features, the only way to be certain is to check the CWWKF0012I message in the console.log, messages.log, or trace log from the Liberty server.

Workarounds and Mitigations

None

About the Author:

Go to Top