IBM299B7265C2AFC054F8F0AC3F1760EEA5A3E7EB01881D5142020ABD5E95260494Security Bulletin: Vulnerabilities in IBM WebSphere Application Server and WebSphere Application Server Liberty affect IBM Watson Explorer (CVE-2024-22354)
7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
6.4 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
Summary
IBM WebSphere Application Server and IBM WebSphere Application Server Liberty is used by IBM Watson Explorer. IBM Watson Explorer has addressed the applicable CVE (CVE-2024-22354).
Vulnerability Details
CVEID:CVE-2024-22354
**DESCRIPTION:**IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.3 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, or to conduct a server-side request forgery attack. IBM X-Force ID: 280401.
CVSS Base score: 7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/280401 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Watson Explorer DAE Analytical Components |
12.0.0.0, 12.0.0.1
12.0.1,
12.0.2.0 - 12.0.2.2,
12.0.3.0 - 12.0.3.14
IBM Watson Explorer DAE Foundational Components|
12.0.0.0, 12.0.0.1
12.0.1,
12.0.2.0 - 12.0.2.2,
12.0.3.0 - 12.0.3.14
IBM Watson Explorer Analytical Components|
11.0.0.0 - 11.0.0.3,
11.0.1,
11.0.2.0 - 11.0.2.18
IBM Watson Explorer Foundational Components|
11.0.0.0 - 11.0.0.3,
11.0.1,
11.0.2.0 - 11.0.2.18
Remediation/Fixes
| Affected Product | Affected Versions | Fix |
|---|---|---|
| IBM Watson Explorer DAE Analytical Components |
12.0.0.0, 12.0.0.1
12.0.1,
12.0.2.0 - 12.0.2.2,
12.0.3.0 - 12.0.3.14
|
Upgrade to Version 12.0.3.15.
See Watson Explorer Version 12.0.3.15 Analytical Components for download information and instructions.
IBM Watson Explorer DAE Foundational Components|
12.0.0.0, 12.0.0.1
12.0.1,
12.0.2.0 - 12.0.2.2,
12.0.3.0 - 12.0.3.14
|
Upgrade to Version 12.0.3.15.
See Watson Explorer Version 12.0.3.15 Foundational Components for download information and instructions.
IBM Watson Explorer Analytical Components|
11.0.0.0 - 11.0.0.3,
11.0.1,
11.0.2.0 - 11.0.2.18
|
Upgrade to Watson Explorer Analytical Components Version 11.0.2 Fix Pack 19. For information about this version, and links to the software and release notes, see the download document. For information about upgrading, see the upgrade procedures.
IBM Watson Explorer Foundational Components|
11.0.0.0 - 11.0.0.3,
11.0.1,
11.0.2.0 - 11.0.2.18
|
Upgrade to Watson Explorer Foundational Components Version 11.0.2 Fix Pack 19. For information about this version, and links to the software and release notes, see the download document. For information about upgrading, see the upgrade procedures.
Workarounds and Mitigations
None
Affected configurations
Related
7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
6.4 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%