CVE-2022-22354

IBM Spectrum Protect Plus 10.1.0.0 through 10.1.9.2 and IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.14.3 do not limit the length of a connection which could allow for a Slowloris HTTP denial of service attack to take place. This can cause the Admin Console to become unresponsive. IBM X-Force ID: 220485.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/220485	VDB Entry Vendor Advisory
https://www.ibm.com/support/pages/node/6562479	Vendor Advisory
https://www.ibm.com/support/pages/node/6562989	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:ibm:spectrum_copy_data_management::::::::
	cpe:2.3:a:ibm:spectrum_protect_plus::::::::

cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-03-14 17:15

Updated : 2024-02-28 19:09

NVD link : CVE-2022-22354

Mitre link : CVE-2022-22354

CVE.ORG link : CVE-2022-22354

JSON object : View

Products Affected

ibm

spectrum_protect_plus
spectrum_copy_data_management

linux

linux_kernel

CWE

NVD-CWE-noinfo

{"id": "CVE-2022-22354", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "psirt@us.ibm.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.5}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-03-14T17:15:08.040", "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/220485", "tags": ["VDB Entry", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://www.ibm.com/support/pages/node/6562479", "tags": ["Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://www.ibm.com/support/pages/node/6562989", "tags": ["Vendor Advisory"], "source": "psirt@us.ibm.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "IBM Spectrum Protect Plus 10.1.0.0 through 10.1.9.2 and IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.14.3 do not limit the length of a connection which could allow for a Slowloris HTTP denial of service attack to take place. This can cause the Admin Console to become unresponsive. IBM X-Force ID: 220485."}, {"lang": "es", "value": "IBM Spectrum Protect Plus versiones 10.1.0.0 hasta 10.1.9.2 e IBM Spectrum Copy Data Management versiones 2.2.0.0 hasta 2.2.14.3, no limitan la duraci\u00f3n de una conexi\u00f3n, lo que podr\u00eda permitir un ataque de denegaci\u00f3n de servicio HTTP Slowloris. Esto puede causar que la consola de administraci\u00f3n deje de responder. IBM X-Force ID: 220485"}], "lastModified": "2022-03-22T14:49:37.177", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:spectrum_copy_data_management:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "97BA0DB5-BB5C-471A-A409-1DB7ABD78CA2", "versionEndExcluding": "2.2.15", "versionStartIncluding": "2.2.0.0"}, {"criteria": "cpe:2.3:a:ibm:spectrum_protect_plus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E808AE8E-5D33-47ED-909E-26BCBCDB9599", "versionEndExcluding": "10.1.9.3", "versionStartIncluding": "10.1.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linux:linux_kernel:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8BA79AC0-A0CC-4EE6-AEF5-9B8C8EA2C9F1"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@us.ibm.com"}