CVE-2022-22472 – This vulnerability allows remote attackers to b... (How to Fix)

Q: What is the severity of CVE-2022-22472?

CVE-2022-22472 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote attackers to bypass IBM Spectrum Protect Plus role-based access controls by retrieving session information from container logs. Attackers can exploit this to gain unauthorized access to the Spectrum Protect Plus server with the permissions of the compromised user. Affected systems include IBM Spectrum Protect Plus Container Backup and Restore deployments on Kubernetes (10.1.5-10.1.10.2) and Red Hat OpenShift (10.1.7-10.1.10.2).

📋 TL;DR

This vulnerability allows remote attackers to bypass IBM Spectrum Protect Plus role-based access controls by retrieving session information from container logs. Attackers can exploit this to gain unauthorized access to the Spectrum Protect Plus server with the permissions of the compromised user. Affected systems include IBM Spectrum Protect Plus Container Backup and Restore deployments on Kubernetes (10.1.5-10.1.10.2) and Red Hat OpenShift (10.1.7-10.1.10.2).

💻 Affected Systems

Products:

IBM Spectrum Protect Plus Container Backup and Restore

Versions: 10.1.5 through 10.1.10.2 for Kubernetes, 10.1.7 through 10.1.10.2 for Red Hat OpenShift

Operating Systems: Kubernetes, Red Hat OpenShift

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects container-based deployments, not traditional server installations.

📦 What is this software?

Spectrum Protect Plus Container Backup And Restore by Ibm

View all CVEs affecting Spectrum Protect Plus Container Backup And Restore →

Spectrum Protect Plus Container Backup And Restore by Ibm

View all CVEs affecting Spectrum Protect Plus Container Backup And Restore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full administrative access to IBM Spectrum Protect Plus server, allowing data exfiltration, backup manipulation, or complete system compromise.

🟠

Likely Case

Unauthorized access to sensitive backup data, configuration information, or ability to disrupt backup operations.

🟢

If Mitigated

Limited impact with proper network segmentation, log access controls, and monitoring in place.

🌐 Internet-Facing: HIGH - If the vulnerable container is exposed to the internet, attackers can remotely exploit this without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires access to container logs.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires access to container logs which may be accessible via Kubernetes/OpenShift APIs or exposed logging endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: IBM Spectrum Protect Plus 10.1.11 and later

Vendor Advisory: https://www.ibm.com/support/pages/node/6596907

Restart Required: Yes

Instructions:

1. Upgrade to IBM Spectrum Protect Plus version 10.1.11 or later. 2. Apply the fix to all affected container deployments. 3. Restart the Spectrum Protect Plus containers. 4. Verify the fix by checking version and testing access controls.

🔧 Temporary Workarounds

Restrict Container Log Access

linux

Implement strict access controls on container logs to prevent unauthorized viewing.

kubectl create role pod-logs-reader --verb=get,list --resource=pods/log
kubectl create rolebinding restrict-logs --role=pod-logs-reader --user=authorized-user

Network Segmentation

all

Isolate Spectrum Protect Plus containers from untrusted networks and limit API access.

kubectl apply -f network-policy.yaml (with appropriate deny rules)

🧯 If You Can't Patch

Implement strict RBAC controls on Kubernetes/OpenShift to limit who can access container logs
Enable detailed audit logging for all access to Spectrum Protect Plus containers and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check IBM Spectrum Protect Plus version: kubectl get pods -l app=spectrum-protect-plus -o jsonpath='{.items[*].spec.containers[*].image}'

Check Version:

kubectl get pods -l app=spectrum-protect-plus -o jsonpath='{.items[*].spec.containers[*].image}' | grep -o '10\.[0-9]*\.[0-9]*'

Verify Fix Applied:

Verify version is 10.1.11 or later and test that session information is no longer exposed in container logs.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to container logs
Multiple failed login attempts followed by successful login from unusual source
Session tokens appearing in container log files

Network Indicators:

Unusual API calls to Kubernetes/OpenShift logging endpoints
Traffic from unexpected sources to Spectrum Protect Plus management interfaces

SIEM Query:

source="kubernetes" AND ("pods/log" OR "container logs") AND (user NOT IN [authorized_users])

📊 Metadata

CVE ID: CVE-2022-22472

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-281

Published: June 30, 2022

Last Updated: November 21, 2024

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/225340 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6596907 Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/225340 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6596907 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-22472, you might also want to check these: