CVE-2022-40616 Maximo Asset Management could allow users to bypass authentication and obtain sensitive information or perform tasks they shouldn't have access to.

There could be a vulnerability in IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, and 7.6.1.3, where a user could receive an email message with a link to a web page. Upon clicking on the linked web page, a user will be prompted to login to the Asset Management system. If the user does not log in, the user could receive another email message with a link to another web page. When the user clicks on this link, the user will be prompted to login, and so on. This can result in a user receiving multiple login requests. This is a known issue that has been assigned the identifier “CVE-2018-9381”. The vulnerability has been patched in software version 7.6.1.2 and later.

IBM Business Process Manager 7.6

IBM Business Process Manager 7.6.1 is susceptible to an unauthenticated vulnerability that could allow a remote user to send email messages to users of this software, which will prompt them to login to the Asset Management system of IBM Maximo Asset Management 7.6.1.1, IBM Maximo Asset Management 7.6.1.2 or IBM Maximo Asset Management 7.6.1.3 via a web page link in the email message body or subject line when they open the email message.

IBM Tuxedo CVE-2018-9381

"IBM Tuxedo CVE-2018-9381" is a vulnerability in IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, and 7.6.1.3, where a user could receive an email message with a link to a web page. Upon clicking on the linked web page, a user will be prompted to login to the Asset Management system. If the user does not log in, the user could receive another email message with a link to another web page. When the user clicks on this link, the user will be prompted to login, and so on (until there are no more links). This can result in a user receiving multiple login requests (from multiple email messages). This is a known issue that has been assigned the identifier "CVE-2018-9381". The vulnerability has been patched in software version 7.6.1.2 and later

IBM WebSphere Application Server (WAS)

Due to the vulnerability, IBM has released software update 7.6.2.2 that addresses this issue. This update is available on its website and through the IBM Security Intelligence Operations Center (SIOC) tool which can assist in determining if your IBM application servers are at risk for any vulnerabilities or have already been impacted by one of the known vulnerabilities.

IBM Maximo Asset Management 7.6.0 - 7.6.1.2 User Access Control vulnerability

IBM Maximo Asset Management 7.6.1.2 includes a vulnerability that could allow remote access to the system. The vulnerability has been assigned the identifier CVE-2018-9381 and affects versions of IBM Maximo Asset Management between 7.6.0 and 7.6.1.2, inclusive.

IBM Rational Asset Management 7.6.2

IBM Rational Asset Management 7.6.2 is affected by this vulnerability in that the issue lies in the way Asset Management identifies the source of a login request. If a user receives multiple login requests, then they may believe that they have been targeted by an unauthorized individual or attack.

Timeline

Published on: 09/21/2022 17:15:00 UTC
Last modified on: 09/22/2022 18:58:00 UTC

References

• https://www.ibm.com/support/pages/node/6621599
• https://exchange.xforce.ibmcloud.com/vulnerabilities/236311
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40616