Vulnerability CVE-2022-21698

Vulnerability Name:

CVE-2022-21698 (CCN-219707)

Assigned:

2021-11-16

Published:

2022-02-15

Updated:

2023-07-24

Summary:

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2022-21698

Source: XF
Type: UNKNOWN
prometheus-cve202221698-dos(219707)

Source: security-advisories@github.com
Type: Patch, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Patch, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Release Notes, Third Party Advisory
security-advisories@github.com

Source: CCN
Type: client_golang GIT Repository
InstrumentHandler* HTTP middleware prone to DoS through method label cardinality

Source: security-advisories@github.com
Type: Issue Tracking, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: CCN
Type: oss-sec Mailing List, Tue, 15 Feb 2022 13:53:06 +0100
CVE-2022-21698: HTTP method DOS; Prometheus client_golang <1.11.1 affected; Other web servers might be affected too

Source: CCN
Type: IBM Security Bulletin 6596915 (Cloud Pak for Business Automation)
Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for May 2022

Source: CCN
Type: IBM Security Bulletin 6614451 (Robotic Process Automation for Cloud Pak)
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak

Source: CCN
Type: IBM Security Bulletin 6833266 (CICS TX Standard)
IBM CICS TX Standard is vulnerable to multiple vulnerabilities in Golang Go.

Source: CCN
Type: IBM Security Bulletin 6833268 (CICS TX Advanced)
IBM CICS TX Advanced is vulnerable to multiple vulnerabilities in Golang Go.

Source: CCN
Type: IBM Security Bulletin 6967012 (Cloud Pak for Watson AIOps)
Multiple Vulnerabilities in CloudPak for Watson AIOPs

Source: CCN
Type: IBM Security Bulletin 6967018 (CICS TX Standard)
CVE-2022-27664, CVE-2022-21698, CVE-2021-43565 and CVE-2022-27191 may affect IBM CICS TX Standard

Source: CCN
Type: IBM Security Bulletin 6999559 (Edge Application Manager)
IBM Edge Application Manager 4.5 addresses multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6999605 (MQ Operator)
IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from curl, go and apr-util

Vulnerable Configuration:

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration RedHat 3:

cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*

Configuration RedHat 4:

cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*

Configuration CCN 1:

cpe:/a:prometheus:client_golang:1.11.0:*:*:*:*:go:*:*

AND

cpe:/a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.2:-:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*

OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:*

OR cpe:/a:ibm:cics_tx:11.1:*:*:*:advanced:*:*:*

OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7513	P	golang-github-prometheus-node_exporter-1.5.0-150100.3.23.2 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:7862	P	podman-4.4.4-150500.1.4 on GA media (Moderate)	2023-06-12
oval:com.redhat.rhsa:def:20228057	P	RHSA-2022:8057: grafana security, bug fix, and enhancement update (Important)	2022-11-15
oval:com.redhat.rhsa:def:20227519	P	RHSA-2022:7519: grafana security, bug fix, and enhancement update (Moderate)	2022-11-08
oval:com.redhat.rhsa:def:20227529	P	RHSA-2022:7529: container-tools:3.0 security update (Moderate)	2022-11-08
oval:org.opensuse.security:def:632	P	Security update for golang-github-prometheus-node_exporter (Moderate) (in QA)	2022-09-28
oval:org.opensuse.security:def:699	P	Security update for podman (Important)	2022-08-17
oval:org.opensuse.security:def:3617	P	libjson-c2-0.11-2.15 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:118929	P	Security update for node_exporter (Important)	2022-06-20
oval:org.opensuse.security:def:125737	P	Security update for SUSE Manager Client Tools (Important)	2022-06-20
oval:org.opensuse.security:def:95386	P	Security update for golang-github-prometheus-alertmanager (Important)	2022-06-20
oval:org.opensuse.security:def:532	P	Security update for golang-github-prometheus-alertmanager (Important)	2022-06-20
oval:org.opensuse.security:def:119234	P	Security update for node_exporter (Important)	2022-06-20
oval:org.opensuse.security:def:126903	P	Security update for SUSE Manager Client Tools (Important)	2022-06-20
oval:org.opensuse.security:def:6077	P	Security update for SUSE Manager Client Tools (Important)	2022-06-20
oval:org.opensuse.security:def:918	P	Security update for node_exporter (Important)	2022-06-20
oval:org.opensuse.security:def:533	P	Security update for node_exporter (Important)	2022-06-20
oval:org.opensuse.security:def:119424	P	Security update for node_exporter (Important)	2022-06-20
oval:org.opensuse.security:def:127300	P	Security update for SUSE Manager Client Tools (Important)	2022-06-20
oval:org.opensuse.security:def:118739	P	Security update for node_exporter (Important)	2022-06-20
oval:org.opensuse.security:def:119609	P	Security update for node_exporter (Important)	2022-06-20
oval:org.opensuse.security:def:95247	P	Security update for node_exporter (Important)	2022-06-20
oval:com.redhat.rhsa:def:20221762	P	RHSA-2022:1762: container-tools:rhel8 security, bug fix, and enhancement update (Important)	2022-05-10
oval:org.opensuse.security:def:452	P	Security update for firewalld, golang-github-prometheus-prometheus (Important)	2022-04-27
oval:org.opensuse.security:def:101597	P	Security update for firewalld, golang-github-prometheus-prometheus (Important)	2022-04-27
oval:org.opensuse.security:def:866	P	Security update for firewalld, golang-github-prometheus-prometheus (Important)	2022-04-27
oval:org.opensuse.security:def:42271	P	Security update for firewalld, golang-github-prometheus-prometheus (Important)	2022-04-27
oval:org.opensuse.security:def:101756	P	Security update for firewalld, golang-github-prometheus-prometheus (Important)	2022-04-27
oval:org.opensuse.security:def:42372	P	Security update for firewalld, golang-github-prometheus-prometheus (Important)	2022-04-27
oval:org.opensuse.security:def:102162	P	Security update for firewalld, golang-github-prometheus-prometheus (Important)	2022-04-27
oval:org.opensuse.security:def:1065	P	Security update for firewalld, golang-github-prometheus-prometheus (Important)	2022-04-27

BACK