CVE-2022-22354 – This vulnerability allows attackers to perform ... (How to Fix)

Q: What is the severity of CVE-2022-22354?

CVE-2022-22354 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to perform Slowloris HTTP denial-of-service attacks against IBM Spectrum Protect Plus and IBM Spectrum Copy Data Management. By keeping HTTP connections open without completing requests, attackers can exhaust server resources and make the Admin Console unresponsive. Affected organizations are those running vulnerable versions of these IBM data management products.

📋 TL;DR

This vulnerability allows attackers to perform Slowloris HTTP denial-of-service attacks against IBM Spectrum Protect Plus and IBM Spectrum Copy Data Management. By keeping HTTP connections open without completing requests, attackers can exhaust server resources and make the Admin Console unresponsive. Affected organizations are those running vulnerable versions of these IBM data management products.

💻 Affected Systems

Products:

IBM Spectrum Protect Plus
IBM Spectrum Copy Data Management

Versions: IBM Spectrum Protect Plus 10.1.0.0 through 10.1.9.2; IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.14.3

Operating Systems: All supported platforms for these products

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with default configurations are vulnerable. The vulnerability affects the Admin Console web interface.

📦 What is this software?

Spectrum Copy Data Management by Ibm

View all CVEs affecting Spectrum Copy Data Management →

Spectrum Protect Plus by Ibm

View all CVEs affecting Spectrum Protect Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete unavailability of the Admin Console, preventing administrators from managing backup and data protection operations, potentially disrupting critical data protection workflows.

🟠

Likely Case

Intermittent Admin Console unresponsiveness during attack periods, degrading administrative capabilities and potentially affecting backup scheduling and monitoring.

🟢

If Mitigated

Minimal impact with proper network segmentation, rate limiting, and updated versions, though some performance degradation might still occur during attacks.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Slowloris attacks are well-known and require minimal technical skill to execute. No authentication is required to exploit this vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: IBM Spectrum Protect Plus 10.1.10 and later; IBM Spectrum Copy Data Management 2.2.15 and later

Vendor Advisory: https://www.ibm.com/support/pages/node/6562479

Restart Required: Yes

Instructions:

1. Download the latest version from IBM Fix Central. 2. Backup current configuration. 3. Apply the update following IBM's installation guide. 4. Restart the services. 5. Verify the Admin Console is functioning.

🔧 Temporary Workarounds

Implement Web Application Firewall (WAF)

all

Configure WAF rules to detect and block Slowloris attack patterns by limiting connection duration and request rates.

Network Segmentation and Access Control

all

Restrict access to the Admin Console to trusted networks only, reducing the attack surface.

🧯 If You Can't Patch

Implement network-based rate limiting to restrict the number of concurrent connections from single IP addresses.
Deploy reverse proxy with connection timeout settings to terminate idle connections before they exhaust server resources.

🔍 How to Verify

Check if Vulnerable:

Check the product version via Admin Console or command line. If running IBM Spectrum Protect Plus 10.1.0.0-10.1.9.2 or IBM Spectrum Copy Data Management 2.2.0.0-2.2.14.3, the system is vulnerable.

Check Version:

For IBM Spectrum Protect Plus: Check via Admin Console → Help → About. For command line: varies by platform (consult product documentation).

Verify Fix Applied:

After patching, verify the version is IBM Spectrum Protect Plus 10.1.10+ or IBM Spectrum Copy Data Management 2.2.15+. Test the Admin Console under simulated load to ensure responsiveness.

📡 Detection & Monitoring

Log Indicators:

Unusually high number of concurrent HTTP connections
Long-duration incomplete HTTP requests
Admin Console access logs showing repeated connection attempts from single IPs

Network Indicators:

Multiple partial HTTP requests from same source IP
Sustained TCP connections without completing HTTP transactions
Abnormal traffic patterns to Admin Console port

SIEM Query:

source="admin_console_logs" AND (event="connection_timeout" OR status="incomplete") | stats count by src_ip | where count > threshold

📊 Metadata

CVE ID: CVE-2022-22354

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Published: March 14, 2022

Last Updated: November 21, 2024

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/220485 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6562479 Vendor Advisory
https://www.ibm.com/support/pages/node/6562989 Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/220485 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6562479 Vendor Advisory
https://www.ibm.com/support/pages/node/6562989 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON