Login Sign Up

CVE-2021-39031

8.8 HIGH
Authentication Bypass

📋 TL;DR

This LDAP injection vulnerability in IBM WebSphere Application Server - Liberty allows authenticated remote attackers to manipulate LDAP queries through specially crafted requests. Successful exploitation could grant unauthorized access to protected resources. Affected systems include Liberty versions 17.0.0.3 through 22.0.0.1.

💻 Affected Systems

Products:
  • IBM WebSphere Application Server - Liberty
Versions: 17.0.0.3 through 22.0.0.1
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access; vulnerability exists in LDAP query handling components.

📦 What is this software?

Websphere Application Server by Ibm

View all CVEs affecting Websphere Application Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through privilege escalation, allowing attackers to access sensitive data, modify configurations, or execute arbitrary code.

🟠

Likely Case

Unauthorized access to protected resources, data exfiltration, or privilege escalation within the application context.

🟢

If Mitigated

Limited impact due to network segmentation, strong authentication controls, and proper input validation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated access and knowledge of LDAP injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 22.0.0.2 and later

Vendor Advisory: https://www.ibm.com/support/pages/node/6550488

Restart Required: Yes

Instructions:

1. Download and install Liberty version 22.0.0.2 or later from IBM Fix Central. 2. Apply the fix pack to affected servers. 3. Restart the Liberty server instances.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement strict input validation for LDAP query parameters to filter special characters.

Configure custom filters in server.xml to sanitize LDAP inputs

Network Segmentation

all

Restrict network access to Liberty servers to only trusted sources.

Configure firewall rules to limit inbound connections to Liberty ports

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all LDAP query parameters
  • Apply network segmentation and restrict access to Liberty servers to only necessary users

🔍 How to Verify

Check if Vulnerable:

Check Liberty version using server command or configuration files; versions 17.0.0.3 through 22.0.0.1 are vulnerable.

Check Version:

Liberty/bin/server version

Verify Fix Applied:

Verify Liberty version is 22.0.0.2 or later and test LDAP query functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual LDAP query patterns
  • Failed authentication attempts with special characters
  • Unexpected access to protected resources

Network Indicators:

  • Abnormal LDAP traffic patterns
  • Unexpected outbound connections from Liberty servers

SIEM Query:

source="liberty.log" AND ("LDAP injection" OR "malformed query" OR "unauthorized access")

📊 Metadata

CVE ID: CVE-2021-39031
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-74
Published: January 25, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39031, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)