IBM WebSphere Application Server information disclosure

Vulnerability

IBM WebSphere Application Server traditional V8.5 and V9.0, and IBM WebSphere Application Server Liberty 17.0.0.3 through current, when configured with Web Server Plug-ins versions 8.5 or 9.0, are vulnerable to spoofing attacks. The vulnerability (CVE-2022-39161) allows an authenticated user to conduct man-in-the-middle attacks using a certificate issued by a trusted authority to obtain sensitive information. The CVSS vector is (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) with a base score of 4.8 [1].

Exploitation

An attacker must be on the same network (adjacent) and have low privileges (authenticated). The attack complexity is high, requiring the attacker to obtain a certificate from a trusted authority and perform a man-in-the-middle interception of communications between the WebSphere server and the Web Server Plug-ins. No user interaction is required. The attacker can then capture sensitive information transmitted over the connection [1].

Impact

Successful exploitation results in disclosure of sensitive information (confidentiality high). There is no impact on integrity or availability. The scope remains unchanged [1].

Mitigation

IBM has released fixes. For WebSphere Application Server traditional V9.0.0.0 through 9.0.5.15, upgrade to 9.0.5.16 or later. For V8.5.5.0 through 8.5.5.23, upgrade to 8.5.5.24 or later. For Liberty, upgrade to 23.0.0.3 or later. Alternatively, apply the Web Server Plug-ins interim fix containing APAR PH48747. See the IBM security bulletin for detailed instructions [1].