Vulnerability Name:

CVE-2021-39031 (CCN-213875)

Assigned:2021-08-16
Published:2022-01-24
Updated:2022-01-28
Summary:IBM WebSphere Application Server - Liberty 17.0.0.3 through 22.0.0.1 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and could result in in granting permission to unauthorized resources. IBM X-Force ID: 213875.
CVSS v3 Severity:8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.1 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-74
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2021-39031

Source: XF
Type: UNKNOWN
ibm-websphere-cve202139031-ldap-injection(213875)

Source: XF
Type: VDB Entry, Vendor Advisory
ibm-websphere-cve202139031-ldap-injection (213875)

Source: CCN
Type: IBM Security Bulletin 6550488 (WebSphere Application Server Liberty)
IBM WebSphere Application Server Liberty is vulnerable to LDAP Injection (CVE-2021-39031)

Source: CONFIRM
Type: Mitigation, Vendor Advisory
https://www.ibm.com/support/pages/node/6550488

Source: CCN
Type: IBM Security Bulletin 6554038 (Liberty for Java)
Liberty for Java for IBM Cloud is vulnerable to LDAP Injection (CVE-2021-39031)

Source: CCN
Type: IBM Security Bulletin 6559226 (PowerVM NovaLink)
IBM PowerVM Novalink could allow a remote authenticated attacker to conduct an LDAP injection.

Source: CCN
Type: IBM Security Bulletin 6561029 (Spectrum Control)
IBM Spectrum Control is vulnerable to multiple weaknesses related to IBM Dojo (CVE-2021-234550), Java SE (CVE-2021-35578), IBM WebSphere Application Server - Liberty (CVE-2021-39031), Apache Log4j (CVE-2021-44832) and Gson (217225)

Source: CCN
Type: IBM Security Bulletin 6565313 (Transformation Extender Advanced)
IBM Transformation Extender Advanced is vulnerable to LDAP injection due to WebSphere Application Server Liberty (CVE-2021-39031)

Source: CCN
Type: IBM Security Bulletin 6568369 (i)
IBM WebSphere Application Server Liberty for IBM i is affected by arbitrary code execution and other attacks due to multiple vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6569153 (MQ Operator CD Release)
IBM MQ Operator and Queue manager container images are vulnerable to multiple issues within Red Hat UBI packages and the IBM WebSphere Application Server Liberty shipped with IBM MQ Operator v1.7 CD Release

Source: CCN
Type: IBM Security Bulletin 6570241 (SPSS Analytic Server)
IBM SPSS Analytic Server is vulnerable to LDAP Injection (CVE-2021-39031)

Source: CCN
Type: IBM Security Bulletin 6570365 (InfoSphere Global Name Management)
LDAP vulnerability in WebSphere Liberty Profile can affect IBM InfoSphere Global Name Management ENS (CVE-2021-39031)

Source: CCN
Type: IBM Security Bulletin 6573015 (Watson Speech Services Cartridge for Cloud Pak for Data)
A Vulnerability in IBM WebSphere Application Server - Liberty affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data

Source: CCN
Type: IBM Security Bulletin 6573409 (Watson Explorer)
Vulnerabilities exist in Watson Explorer for IBM WebSphere Application Server - Liberty (CVE-2021-39031)

Source: CCN
Type: IBM Security Bulletin 6573929 (Cloud Application Business Insights)
Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affects IBM Cloud Application Business Insights CVE-2021-39031

Source: CCN
Type: IBM Security Bulletin 6574521 (Cloud Private)
Security Vulnerabilities affect IBM Cloud Private - IBM WebSphere Application Server (CVE-2021-39031)

Source: CCN
Type: IBM Security Bulletin 6575473 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6578583 (Cloud Pak for Business Automation)
Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for April 2022

Source: CCN
Type: IBM Security Bulletin 6579133 (Spectrum Scale)
A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale (CVE-2021-39031)

Source: CCN
Type: IBM Security Bulletin 6582535 (MQ)
IBM MQ WebConsole and REST API are affected by CVE-2021-39031.

Source: CCN
Type: IBM Security Bulletin 6589115 (Elastic Storage System)
A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale packaged in IBM ESS ( CVE-2021-39031)

Source: CCN
Type: IBM Security Bulletin 6589117 (Elastic Storage System)
A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale packaged in IBM Elastic Storage System (CVE-2021-39031)

Source: CCN
Type: IBM Security Bulletin 6592587 (WIoTP MessageGateway)
Multiple vulnerabilities in multiple dependencies affect IBM MessageGateway/ MessageSight

Source: CCN
Type: IBM Security Bulletin 6829073 (Cloud APM)
IBM Performance Management is affected by multiple vulnerabilities in IBM Websphere Application Server (CVE-2021-39031, CVE-2022-22393, and CVE-2022-22476)

Source: CCN
Type: IBM Security Bulletin 6841803 (Cognos Controller)
IBM Cognos Controller has addressed multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6967191 (Cloud Pak System Software Suite)
Multiple vulnerabilities in IBM WebSphere Application Server Liberty affect Cloud Pak System (CVE-2022-34165, CVE2021-39031)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:* (Version >= 17.0.0.3 and <= 22.0.0.1)

    • Configuration CCN 1:
  • cpe:/a:ibm:websphere_application_server:17.0.0.3:*:*:*:liberty:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:22.0.0.1:*:*:*:liberty:*:*:*
  • AND
  • cpe:/o:ibm:i:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_explorer:11.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:transformation_extender:9.0:*:advanced:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_explorer:11.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spss_analytic_server:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_explorer:11.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_scale:5.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spss_analytic_server:3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_explorer:12.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_explorer:12.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_explorer:12.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.0:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_global_name_management:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_transformation_advisor:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:iot_messagesight:5.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_explorer:12.0.3:*:deep_analytics:*:analytical_components:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_scale:5.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_system:6.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_control:5.4.5.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm websphere application server *
    ibm websphere application server 17.0.0.3
    ibm websphere application server 22.0.0.1
    ibm i 7.2
    ibm watson explorer 11.0.0
    ibm transformation extender 9.0
    ibm i 7.3
    ibm watson explorer 11.0.1
    ibm spss analytic server 3.0
    ibm watson explorer 11.0.2
    ibm spectrum scale 5.0.0
    ibm spss analytic server 3.1
    ibm watson explorer 12.0.0
    ibm watson explorer 12.0.1
    ibm watson explorer 12.0.2
    ibm cognos controller 10.4.0
    ibm i 7.4
    ibm infosphere global name management 6.0
    ibm cognos controller 10.4.1
    ibm cloud transformation advisor 2.0.1
    ibm iot messagesight 5.0.0.0
    ibm watson explorer 12.0.3
    ibm cloud private 3.2.1 cd
    ibm cloud private 3.2.2 cd
    ibm cognos controller 10.4.2
    ibm spectrum scale 5.1.0
    ibm elastic storage system 6.0.0
    ibm cloud pak for business automation 18.0.0
    ibm cloud pak for business automation 18.0.2
    ibm cloud pak for business automation 19.0.1
    ibm cloud pak for business automation 19.0.3
    ibm cloud pak for business automation 20.0.1
    ibm cloud pak for business automation 20.0.3
    ibm cloud pak for business automation 21.0.1 -
    ibm cloud pak for business automation 21.0.2 -
    ibm cloud pak for business automation 21.0.3 -
    ibm spectrum control 5.4.5.2