ESB-2026.4308 — Vulnetix

ESB-2026.4308 PUBLISHED CVSS 7.5 HIGH

=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2026.4308 Multiple Vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server and WebSphere Application Server Liberty due to the April 2026 Java CPU 28 April 2026 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: IBM WebSphere Application Server Publisher: IBM Operating System: IBM i Windows AIX z/OS Linux macOS Resolution: Patch/Upgrade CVE Names: CVE-2026-22016 CVE-2026-22021 CVE-2026-22013 CVE-2026-22018 CVE-2026-22007 CVE-2026-34268 Original Bulletin: https://www.ibm.com/support/pages/node/7270877 Comment: CVSS (Max): 7.5 CVE-2026-22016 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSS Source: IBM Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N EPSS (Max): 0.1% (30th) CVE-2026-22016 2026-04-27 - --------------------------BEGIN INCLUDED TEXT-------------------- IBM Support Document Information Document number : 7270877 Modified date : More support for: WebSphere Application Server Product : WebSphere Application Server Component : Liberty Software version : 9.0, 8.5, Liberty Operating system(s): AIX IBM i Linux Windows z/OS Mac OS Security Bulletin Summary There are multiple vulnerabilities in the IBM SDK, Java Technology Edition that is shipped with IBM WebSphere Application Server and IBM WebSphere Application Server Liberty. The CVE(s) listed in this document might affect some configurations of IBM WebSphere Application Server traditional and IBM WebSphere Application Server Liberty. If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities is applicable to your code. For a complete list of vulnerabilities, refer to the link for "IBM Java SDK Security Bulletin" located in the References section for more information. Vulnerability Details CVEID: CVE-2026-22016 DESCRIPTION: Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CVSS Source: secalert_us@oracle.com CVSS Base score: 7.5 CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2026-22021 DESCRIPTION: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. CWE: CWE-400: Uncontrolled Resource Consumption CVSS Source: secalert_us@oracle.com CVSS Base score: 5.3 CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2026-22013 DESCRIPTION: Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. CWE: CWE-693: Protection Mechanism Failure CVSS Source: secalert_us@oracle.com CVSS Base score: 5.3 CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) CVEID: CVE-2026-22018 DESCRIPTION: Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. CWE: CWE-770: Allocation of Resources Without Limits or Throttling CVSS Source: secalert_us@oracle.com CVSS Base score: 3.7 CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2026-34268 DESCRIPTION: Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CVSS Source: secalert_us@oracle.com CVSS Base score: 2.9 CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2026-22007 DESCRIPTION: Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CVSS Source: secalert_us@oracle.com CVSS Base score: 2.9 CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +------------------------------------------+-------------------+ |Affected Product(s) |Version(s) | +------------------------------------------+-------------------+ |IBM WebSphere Application Server - Liberty|Continuous delivery| +------------------------------------------+-------------------+ |IBM WebSphere Application Server |9.0 | +------------------------------------------+-------------------+ |IBM WebSphere Application Server |8.5 | +------------------------------------------+-------------------+ Remediation/Fixes For IBM WebSphere Application Server Liberty: Upgrade to IBM SDK, Java Technology Edition Version 8 SR8 FP65 refer to IBM Java SDKs for Liberty For Version 9 IBM WebSphere Application Server traditional: Update to the IBM SDK, Java Technology Edition, Version 8 Service Refresh 8 FP65 using the instructions in the IBM Documentation Installing and updating IBM SDK, Java Technology Edition on distributed environments then use the IBM Installation Manager to access the online product repositories to install the SDK or use IBM Installation Manager and access the packages from Fixcentral . For Version 8.5.0.0 through 8.5.5.29 IBM WebSphere Application Server traditional: For the IBM SDK, Java Technology Version that you use, upgrade to the minimal fix pack level of IBM WebSphere Application Server as noted in the interim fix below then apply the interim fixes: For IBM SDK Java Technology Edition Version 8 o For environments that have been upgraded to use the new default IBM SDK Version 8 bundled with IBM WebSphere Application Server Fix Pack 8.5.5.11 or later: Apply the interim fix that resolves PH70990 : Will upgrade you to IBM SDK, Java Technology Edition, Version 8 Service Refresh 8 FP65. OR o Apply IBM Java SDK shipped with IBM WebSphere Application Server Fix pack 30 (8.5.5.30) or later (targeted availability 3Q 2026). For Application Client for IBM WebSphere Application Server: Follow instructions above for the IBM WebSphere Application Server to download the interim fix needed for your version of the Application Client. Workarounds and Mitigations None IBM Java SDK Security Bulletin Acknowledgement Change History 27 Apr 2026: Initial Publication *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions. - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AUSCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write the document quoted above, AUSCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AUSCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://portal.auscert.org.au/bulletins/ =========================================================================== AUSCERT The University of Queensland, Brisbane QLD 4072 Australia e: auscert@auscert.org.au t: +61 (0)7 3365 4417 Allies in Cyber Security ===========================================================================

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

Vendor	Product	Versions
IBM	IBM WebSphere Application Server

Timeline

Apr 28, 2026 CVE Published

References

http://portal.auscert.org.au/bulletins/ESB-2026.4308/ advisory
https://www.ibm.com/support/pages/node/7270877 advisory

Open in Interactive Console →