Vulnerability Name: CVE-2022-22475 (CCN-225603) Assigned: 2022-05-16 Published: 2022-05-16 Updated: 2022-06-21 Summary: IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5 are vulnerable to identity spoofing by an authenticated user. IBM X-Force ID: 225603. CVSS v3 Severity: 6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N )5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): HighAvailibility (A): None
7.1 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L )6.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): HighPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): Low
CVSS v2 Severity: 4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:P )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): HighAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Partial
Vulnerability Type: CWE-20 Vulnerability Consequences: Gain Privileges References: Source: MITRE Type: CNACVE-2022-22475 Source: XF Type: UNKNOWNibm-websphere-cve202222475-spoofing(225603) Source: XF Type: VDB Entry, Vendor Advisoryibm-websphere-cve202222475-spoofing (225603) Source: CCN Type: IBM Security Bulletin 6586734 (WebSphere Application Server Liberty)IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22475) Source: CONFIRM Type: Patch, Vendor Advisoryhttps://www.ibm.com/support/pages/node/6586734 Source: CCN Type: IBM Security Bulletin 6591057 (Watson Explorer)Vulnerabilities in IBM WebSphere Application Server and WebSphere Application Server Liberty affect IBM Watson Explorer (CVE-2022-22475, CVE-2021-39038) Source: CCN Type: IBM Security Bulletin 6594153 (Liberty for Java)Liberty for Java for IBM Cloud is vulnerable to Identity Spoofing (CVE-2022-22475) Source: CCN Type: IBM Security Bulletin 6595617 (i)IBM WebSphere Application Server Liberty for IBM i is vulnerable to identity spoofing and port status query (CVE-2022-22475 CVE-2022-22393) Source: CCN Type: IBM Security Bulletin 6602555 (MQ Appliance)IBM MQ Appliance is affected by an identity spoofing vulnerability (CVE-2022-22475) Source: CCN Type: IBM Security Bulletin 6603695 (Watson Discovery)IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in WebSphere Application Server Liberty Source: CCN Type: IBM Security Bulletin 6603703 (Voice Gateway)Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server Source: CCN Type: IBM Security Bulletin 6606995 (Tivoli Netcool/Impact)A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2022-22475) Source: CCN Type: IBM Security Bulletin 6608168 (PowerVM NovaLink)IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to identity spoofing by an authenticated user.. (CVE-2022-22475) Source: CCN Type: IBM Security Bulletin 6611147 (MQ Operator)IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from Golang Go, libxml2, curl, expat, libgcrypt and IBM WebSphere Application Server Liberty Source: CCN Type: IBM Security Bulletin 6611967 (Cloud Pak for Automation)Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for July 2022 Source: CCN Type: IBM Security Bulletin 6612347 (Match 360)CP4D Match 360 is affected by Identity Spoofing vulnerability in IBM WebSphere Application Server Liberty Source: CCN Type: IBM Security Bulletin 6612821 (Security Verify Governance)Security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component (CVE-2022-22475, CVE-2022-22476) Source: CCN Type: IBM Security Bulletin 6613565 (Spectrum Control)IBM Spectrum Control is vulnerable to multiple weaknesses related to IBM WebSphere Application Server Liberty and OpenSSL (CVE-2022-2068, CVE-2022-2097, CVE-2022-22475) Source: CCN Type: IBM Security Bulletin 6614703 (Security Verify Governance)IBM Security Verify Governance is vulnerable to identity spoofing due to IBM WebSphere Application Server Liberty (CVE-2022-22475) Source: CCN Type: IBM Security Bulletin 6616293 (Cloud Transformation Advisor)IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities Source: CCN Type: IBM Security Bulletin 6618319 (Spectrum Scale)A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale (CVE-2022-22475) Source: CCN Type: IBM Security Bulletin 6618331 (Elastic Storage System)A vulnerability in IBM WebSphere Application Server Liberty affects IBM Elastic Storage System (CVE-2022-22475) Source: CCN Type: IBM Security Bulletin 6618335 (SPSS Analytic Server)IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22475) Source: CCN Type: IBM Security Bulletin 6618351 (Cloud Application Business Insights)Vulnerabilities in Java and IBM WebSphere Application Server Liberty affects IBM Cloud Application Business Insights - CVE-2022-21496, CVE-2022-21434, CVE-2022-21443, CVE-2022-22475, CVE-2022-22476, CVE-2022-21540 & CVE-2022-21541 Source: CCN Type: IBM Security Bulletin 6618589 (Rational Asset Analyzer)Rational Asset Analyzer is vulnerable to Identity Spoofing (CVE-2022-22475) Source: CCN Type: IBM Security Bulletin 6619289 (SPSS Collaboration and Deployment Services)Multiple vulnerabilities in WebSphere Liberty affect SPSS Collaboration and Deployment Services Source: CCN Type: IBM Security Bulletin 6619681 (TXSeries for Multiplatforms)A vulnerability in IBM Java Runtime affects TXSeries for Multiplatforms Source: CCN Type: IBM Security Bulletin 6619687 (CICS TX Standard)IBM CICS TX Standard is vulnerable to identity spoofing due to IBM WebSphere Application Server Liberty (CVE-2022-22475) Source: CCN Type: IBM Security Bulletin 6619691 (CICS TX Advanced)IBM CICS TX Advanced is vulnerable to identity spoofing due to IBM WebSphere Application Server Liberty (CVE-2022-22475) Source: CCN Type: IBM Security Bulletin 6619929 (CICS Transaction Gateway)An identity spoofing vulnerability in IBM WebSphere Application Server Liberty affects CICS Transaction Gateway Source: CCN Type: IBM Security Bulletin 6619953 (WIoTP MessageGateway)Vulnerabilities in openSSL and WebSphere Liberty affect IBM WIoTP MessageGateway (CVE-2022-22476 CVE-2019-11777 CVE-2022-22475 CVE-2022-2097 CVE-2022-2068 CVE-2022-1292) Source: CCN Type: IBM Security Bulletin 6619973 (Log Analysis)Identity Spoofing vulnerability in IBM WebSphere Application Server Liberty affects IBM Operations Analytics - Log Analysis (CVE-2022-22475) Source: CCN Type: IBM Security Bulletin 6620251 (Tivoli Application Dependency Discovery Manager)Due to use of IBM WebSphere Application Server Liberty, IBM Tivoli Application Dependency Discovery Manager is vulnerable to Identity Spoofing (CVE-2022-22475 CVE-2022-22476) Source: CCN Type: IBM Security Bulletin 6823727 (Spectrum Protect Backup-Archive Client)Vulnerabilities in IBM Java Runtime and IBM WebSphere Application Server Liberty affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments Source: CCN Type: IBM Security Bulletin 6826027 (Cloud Pak for Watson AIOps)Multiple Vulnerabilities in CloudPak for Watson AIOPs Source: CCN Type: IBM Security Bulletin 6830615 (MQ)IBM MQ is affected by an identity spoofing issue in IBM WebSphere Application Server Liberty (CVE-2022-22475) Source: CCN Type: IBM Security Bulletin 6841803 (Cognos Controller)IBM Cognos Controller has addressed multiple vulnerabilities Source: CCN Type: IBM Security Bulletin 6842115 (Operations Analytics Predictive Insights)A vulnerability in IBM WebSphere Application Server Liberty profile affects IBM Operations Analytics Predictive Insights(CVE-2022-22393 CVE-2022-22476 CVE-2022-22475) Source: CCN Type: IBM Security Bulletin 6853675 (CICS Transaction Gateway)Vulnerability in IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5 affects CICS Transaction Gateway Source: CCN Type: IBM Security Bulletin 6953617 (Security Verify Access)Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products. Source: CCN Type: IBM Security Bulletin 6953649 (InfoSphere Global Name Management)Vulnerabilities in IBM WebSphere Liberty affects IBM InfoSphere Global Name Management (CVE-2022-22475, CVE-2022-22476) Source: CCN Type: IBM Security Bulletin 6956864 (B2B Advanced Communications)IBM B2B Advanced Communications is vulnerable to identity spoofing due to IBM WebSphere Application Server Liberty (CVE-2022-22475) Source: CCN Type: IBM Security Bulletin 6989131 (Maximo Application Suite)IBM WebSphere Application Server Liberty and Open Liberty is vulnerable to CVE-2022-22475 used in IBM Maximo Application Suite - Monitor Component Source: CCN Type: IBM Security Bulletin 7001693 (Security Directory Suite VA)IBM Security Directory Suite is vulnerable to multiple issues Vulnerable Configuration: Configuration 1 :cpe:/a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:* (Version >= 17.0.0.3 and <= 22.0.0.5)OR cpe:/a:ibm:open_liberty:*:*:*:*:*:*:*:* (Version >= 17.0.0.3 and <= 22.0.0.5) Configuration CCN 1 :cpe:/a:ibm:websphere_application_server:17.0.0.3:*:*:*:liberty:*:*:* OR cpe:/a:ibm:websphere_application_server:22.0.0.5:*:*:*:liberty:*:*:* AND cpe:/o:ibm:i:7.2:*:*:*:*:*:*:* OR cpe:/a:ibm:cics_transaction_gateway:9.1:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_netcool/impact:7.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:txseries:8.2:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_explorer:11.0.0:*:*:*:*:*:*:* OR cpe:/o:ibm:i:7.3:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_explorer:11.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_explorer:11.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:operations_analytics_predictive_insights:1.3.3:*:*:*:*:*:*:* OR cpe:/a:ibm:operations_analytics_predictive_insights:1.3.5:*:*:*:*:*:*:* OR cpe:/a:ibm:operations_analytics_predictive_insights:1.3.6:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_asset_analyzer:6.1.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_explorer:12.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_explorer:12.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_explorer:12.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_controller:10.4.0:*:*:*:*:*:*:* OR cpe:/o:ibm:i:7.4:*:*:*:*:*:*:* OR cpe:/a:ibm:infosphere_global_name_management:6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect_backup-archive_client:8.1.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect_for_virtual_environments:8.1.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:voice_gateway:1.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:voice_gateway:1.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_transformation_advisor:2.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_automation:19.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:txseries:9.1:*:*:*:*:*:*:* OR cpe:/a:ibm:watson_explorer:12.0.3:*:deep_analytics:*:analytical_components:*:*:* OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:voice_gateway:1.0.2.4:*:*:*:*:*:*:* OR cpe:/a:ibm:voice_gateway:1.0.4:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect_for_space_management:8.1.9.0:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect_backup-archive_client:8.1.9.0:*:*:*:*:*:*:* OR cpe:/a:ibm:spss_collaboration_and_deployment_services:8.2:*:*:*:*:*:*:* OR cpe:/a:ibm:spss_collaboration_and_deployment_services:8.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:voice_gateway:1.0.5:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_automation:20.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.5.3:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_asset_analyzer:6.1.0.23:*:*:*:*:*:*:* OR cpe:/a:ibm:cics_transaction_gateway:9.1.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:cics_transaction_gateway:9.2.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_automation:20.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:* OR cpe:/a:ibm:voice_gateway:1.0.6:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_automation:20.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:security_verify_access:10.0.2.0:*:*:*:*:*:*:* OR cpe:/a:ibm:voice_gateway:1.0.7:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_automation:21.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_automation:21.0.2:-:*:*:*:*:*:* OR cpe:/a:ibm:security_verify_access:10.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_scale:5.1.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_verify_access:10.0.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_automation:19.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_automation:19.0.2:*:*:*:*:*:*:* OR cpe:/o:ibm:i:7.5:*:*:*:*:*:*:* OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:* OR cpe:/a:ibm:cics_tx:11.1:*:*:*:advanced:*:*:* OR cpe:/a:ibm:security_verify_access:10.0.3.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:* OR cpe:/a:ibm:spss_analytic_server:3.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:spectrum_protect_for_space_management:8.1.7.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cics_transaction_gateway:9.2:*:*:*:*:*:*:* OR cpe:/a:ibm:security_verify_access:10.0.4.0:*:*:*:*:*:*:* OR cpe:/a:ibm:multi-enterprise_integration_gateway:1.0.0.1:*:*:*:*:*:*:* Denotes that component is vulnerable BACK
ibm websphere application server *
ibm open liberty *
ibm websphere application server 17.0.0.3
ibm websphere application server 22.0.0.5
ibm i 7.2
ibm cics transaction gateway 9.1
ibm tivoli netcool/impact 7.1.0
ibm txseries 8.2
ibm watson explorer 11.0.0
ibm i 7.3
ibm watson explorer 11.0.1
ibm watson explorer 11.0.2
ibm operations analytics predictive insights 1.3.3
ibm operations analytics predictive insights 1.3.5
ibm operations analytics predictive insights 1.3.6
ibm rational asset analyzer 6.1.0.0
ibm watson explorer 12.0.0
ibm watson explorer 12.0.1
ibm watson explorer 12.0.2
ibm cognos controller 10.4.0
ibm i 7.4
ibm infosphere global name management 6.0
ibm cognos controller 10.4.1
ibm spectrum protect backup-archive client 8.1.0.0
ibm spectrum protect for virtual environments 8.1.0.0
ibm voice gateway 1.0.2
ibm voice gateway 1.0.3
ibm cloud transformation advisor 2.0.1
ibm cloud pak for automation 19.0.3
ibm txseries 9.1
ibm watson explorer 12.0.3
ibm tivoli application dependency discovery manager 7.3.0.0
ibm voice gateway 1.0.2.4
ibm voice gateway 1.0.4
ibm spectrum protect for space management 8.1.9.0
ibm spectrum protect backup-archive client 8.1.9.0
ibm spss collaboration and deployment services 8.2
ibm spss collaboration and deployment services 8.2.1
ibm voice gateway 1.0.5
ibm cloud pak for automation 20.0.1
ibm log analysis 1.3.5.3
ibm log analysis 1.3.6.0
ibm rational asset analyzer 6.1.0.23
ibm cics transaction gateway 9.1.0.3
ibm cics transaction gateway 9.2.0.2
ibm cloud pak for automation 20.0.2
ibm log analysis 1.3.6.1
ibm cognos controller 10.4.2
ibm voice gateway 1.0.6
ibm cloud pak for automation 20.0.3
ibm security verify access 10.0.2.0
ibm voice gateway 1.0.7
ibm cloud pak for automation 21.0.1
ibm cloud pak for automation 21.0.2 -
ibm security verify access 10.0.0.0
ibm spectrum scale 5.1.0.0
ibm security verify access 10.0.1.0
ibm cloud pak for automation 19.0.1
ibm cloud pak for automation 19.0.2
ibm i 7.5
ibm cics tx 11.1
ibm cics tx 11.1
ibm security verify access 10.0.3.0
ibm security verify governance 10.0
ibm spss analytic server 3.1.0
ibm spectrum protect for space management 8.1.7.0
ibm cics transaction gateway 9.2
ibm security verify access 10.0.4.0
ibm multi-enterprise integration gateway 1.0.0.1