CVE-2022-40234
First published: Fri Sep 16 2022(Updated: )
Versions of IBM Spectrum Protect Plus prior to 10.1.12 (excluding 10.1.12) include the private key information for a certificate inside the generated .crt file when uploading a TLS certificate to IBM Spectrum Protect Plus. If this generated .crt file is shared, an attacker can obtain the private key information for the uploaded certificate.
Credit: psirt@us.ibm.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Spectrum Protect Plus | <=10.1.0-10.1.11 | |
| IBM Spectrum Protect Plus | <10.1.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this IBM Spectrum Protect Plus vulnerability?
The vulnerability ID for this IBM Spectrum Protect Plus vulnerability is CVE-2022-40234.
What versions of IBM Spectrum Protect Plus are affected by this vulnerability?
Versions of IBM Spectrum Protect Plus prior to 10.1.12 (excluding 10.1.12) are affected by this vulnerability.
What is the severity of CVE-2022-40234?
The severity of CVE-2022-40234 is medium with a severity value of 5.9.
What is the impact of this vulnerability?
This vulnerability allows an attacker to obtain the private key if the generated .crt file is shared.
How can I fix this vulnerability?
To fix this vulnerability, update IBM Spectrum Protect Plus to version 10.1.12 or later.
- collector/ibm-support
- collector/nvd-index
- vendor/ibm
- canonical/ibm spectrum protect plus
- version/ibm spectrum protect plus/10.1.0-10.1.11