In late 2021, IBM found a troubling weakness in its WebSphere Application Server Liberty—the lightweight Java app server used by thousands of companies to run web applications. The flaw, known as CVE-2022-22310, affects versions 21...10 through 21...12, and it could allow a remote hacker to sneak past the walls and grab sensitive information from your Java JAX-WS (Java API for XML Web Services) applications.
This post breaks down the technical details of the vulnerability, how it could be exploited, how you can check if you’re at risk, and what you should do to stay safe.
What’s the Vulnerability? (In Simple Terms)
WebSphere Liberty is meant to provide secure web services. But, due to a misconfiguration in the way some security settings are handled for JAX-WS (SOAP-based web services), an attacker could bypass security and gain access to information they shouldn’t.
IBM describes this issue as
> “IBM WebSphere Application Server Liberty could provide weaker than expected security. A remote attacker could exploit this weakness to obtain sensitive information and gain unauthorized access to JAX-WS applications.”
(IBM X-Force ID: 217224)
In plain English, this means someone on the internet could interact with your web services and, if you're running an affected version, get data they’re not supposed to see—without even needing to log in.
How Can Attackers Exploit This?
WebSphere Liberty is supposed to enforce authentication (asking users who they are) and authorization (checking if they are allowed to access a resource) for web services. Due to this flaw, security may not be as strong as you think.
An attacker could
1. Find your SOAP web service endpoint (e.g., https://YOUR_SERVER/context/services/MyWebService)
Send crafted SOAP requests that should be protected by authentication.
3. Get a valid response with sensitive data—because the server did not properly require login or check permissions.
Here’s a basic curl command that an attacker might use
curl -X POST \
-H "Content-Type: text/xml" \
--data '<?xml version="1." encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">;
<soapenv:Header/>
<soapenv:Body>
<ns1:getSensitiveData xmlns:ns1="http://example.com/"/>;
</soapenv:Body>
</soapenv:Envelope>' \
https://vulnerable-liberty-server:9443/mySoapService
On a properly protected server, this request would return “401 Unauthorized.”
But with CVE-2022-22310 on an affected version, it could leak actual, sensitive business data.
Customer records
- Other sensitive documents/services exposed via SOAP
`bash
java -jar wlp/bin/productInfo.jar version
Check your deployed applications:
Are you using any JAX-WS/SOAP endpoints?
Test with an unauthenticated request:
Try accessing SOAP endpoints directly, without logging in, like above. If you get data, you're affected.
How Can You Fix CVE-2022-22310?
IBM released a fix in version 22...2 and later.
Upgrade your WebSphere Liberty server to at least 22...2
- IBM fix instructions (official)
Reported by: IBM
- IBM X-Force ID: 217224
- NIST NVD: CVE-2022-22310
- IBM Security Bulletin: IBM WebSphere Application Server Liberty security vulnerability
Wrap Up
CVE-2022-22310 is a classic example of how seemingly small configuration slip-ups in web service security can have outsized impacts—leaking data with just a simple request. If you run IBM WebSphere Liberty, check your versions and upgrade ASAP.
Want more details, or need help protecting your apps? Drop a comment below or reach out!
Stay safe and patch smart!
*(Feel free to share this post to help others stay secure.)*
References
- IBM X-Force Exchange – CVE-2022-22310
- NIST CVE-2022-22310 Entry
- IBM Security Bulletin
Timeline
Published on: 01/19/2022 17:15:00 UTC
Last modified on: 01/25/2022 20:23:00 UTC