Security Bulletin: Due to the use of IBM Websphere Application Server Liberty, IBM TXSeries for Multiplatforms is vulnerable to Denial of Service, Weaker than exected security, Cross-site scripting and Server-side request forgery (SSRF).

Summary

There are vulnerabilities in IBM WebSphere Application Server Liberty related packages that are shipped with IBM TXSeries for Multiplatforms. The version of IBM WebSphere Application Server Liberty shipped with IBM TXSeries for Multiplatforms has been updated to address the applicable issues.

Vulnerability Details

CVEID:CVE-2023-51775
**DESCRIPTION:**jose4j is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted p2c value, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275907 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2024-22329
**DESCRIPTION:**IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.3 are vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, an attacker could exploit this vulnerability to conduct the SSRF attack. X-Force ID: 279951.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279951 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2024-22354
**DESCRIPTION:**IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.3 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, or to conduct a server-side request forgery attack. IBM X-Force ID: 280401.
CVSS Base score: 7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/280401 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L)

CVEID:CVE-2023-50312
**DESCRIPTION:**IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.2 could provide weaker than expected security for outbound TLS connections caused by a failure to honor user configuration. IBM X-Force ID: 274711.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/274711 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-27270
**DESCRIPTION:**IBM WebSphere Application Server Liberty 23.0.0.3 through 24.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in a specially crafted URI. IBM X-Force ID: 284576.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/284576 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerabilities now by upgrading IBM TXSeries for Multiplatforms.

8.1

| Linux, AIX|

PSIRT fixes for IBM TXSeries for Multiplatforms 8.1 will be provided only for extended support customers with request through Salesforce case.

IBM TXSeries for Multiplatforms| 8.2| Linux, AIX, Windows, HP|

PSIRT fixes for IBM TXSeries for Multiplatforms 8.2 will be provided only for extended support customers with request through Salesforce case.

IBM TXSeries for Multiplatforms|

9.1

| Linux, AIX|

Download the upgrade from Fix Central

Workarounds and Mitigations

None