Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Apache Commons FileUpload

Summary

This security bulletin addresses the vulnerabilitiy in IBM WebSphere Application Server Liberty that is vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998)

Vulnerability Details

CVEID:CVE-2023-24998
**DESCRIPTION:**Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by not limit the number of request parts to be processed in the file upload function. By sending a specially-crafted request with series of uploads, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247895 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

To resolve the issue TADDM’s WebSphere Application Server Liberty needs to be upgraded to version 23.0.0.4.

The eFix in the table below can be downloaded and applied directly.

Note:

• Prior to TADDM 7.3.0.5, Java 7 was used and the upgraded Liberty version requires Java8. Hence, no eFix can be provided for versions before 7.3.0.5.
• For customers on TADDM FixPack 3 or FixPack 4, recommendation is to upgrade to a later version and then follow the steps mentioned above.

Workarounds and Mitigations

For customers on TADDM 7.3.0.3 or 7.3.0.4, recommendation is to upgrade to the latest version and then apply the e-fix directly.