Security Bulletin: Denial of Service vulnerability in WebSphere Liberty affects IBM Business Automation Workflow - CVE-2024-22353

Summary

IBM WebSphere Application Server Liberty profile is shipped with IBM Business Automation Workflow components User Management Service and Process Federation Service. Liberty is also used in containerized versions of IBM Business Automation Workflow. Liberty is vulnerable to a denial of service attack.

Vulnerability Details

CVEID:CVE-2024-22353
**DESCRIPTION:**IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.3 is vulnerable to a denial of service, caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 280400.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/280400 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

V23.0.2 - V23.0.2-IF004
V23.0.1 all fixes
V22.0.2 all fixes
V22.0.1 all fixes
V21.0.3 - V21.0.3-IF032
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes

| affected
IBM Business Automation Workflow traditional| V23.0.1 - V23.0.2
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3| affected

For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.

Remediation/Fixes

V23.0.2
V21.0.3.1

| Follow Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2024-22353)
IBM Business Automation Workflow traditional|

V23.0.1
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.0
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3
V18.0.0.1 - V18.0.0.3

| Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum

Workarounds and Mitigations

None