CVE-2022-43917: 
IBM WebSphere App Server vulnerability analysis and mitigation

IBM WebSphere Application Server 8.5 and 9.0 traditional container was found to be vulnerable to information disclosure due to weak cryptographic keys (CVE-2022-43917). The vulnerability was discovered and reported on October 26, 2022, affecting only the containerized version of WebSphere Application Server traditional (CVE Details, NVD).

The vulnerability is classified as CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) with a CVSS v3.1 base score of 7.5 (HIGH) according to NVD, while IBM Corporation assessed it at 5.9 (MEDIUM). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that the vulnerability is network accessible, requires low attack complexity, needs no privileges or user interaction, and can result in high confidentiality impact (NVD).

The vulnerability could allow an attacker to decrypt sensitive information due to the implementation of weaker than expected cryptographic keys in the system (IBM Advisory).

IBM recommends updating all container images created prior to January 23, 2023. For V9.0.0.9 through 9.0.5.14, users should update to container image version 9.0.5.14 or later versions. For V8.5.5.17 through 8.5.5.22, users should update to container image version 8.5.5.22 or later versions (IBM Advisory).