Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to information disclosure due to Apache Santuario (CVE-2023-44483)

Summary

There is a vulnerability in the Apache Santuario library used by IBM WebSphere Application Server Liberty when the wsSecurity-1.1, wsSecuritySaml-1.1 or samlWeb-2.0 feature is enabled.

Vulnerability Details

CVEID:CVE-2023-44483
**DESCRIPTION:**Apache Santuario could allow a remote authenticated attacker to obtain sensitive information, caused by the storage of a private key in the log files when using the JSR 105 API. By gaining access to the log files, an attacker could exploit this vulnerability to obtain the private key information, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269153 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the APAR PH57933. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature.

For IBM WebSphere Application Server Liberty 17.0.0.3 - 23.0.0.11 using the wsSecurity-1.1, wsSecuritySaml-1.1, or samlWeb-2.0 feature(s):
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH57933
--OR–
· Apply Liberty Fix Pack 23.0.0.12 or later (targeted availability 4Q2023).

Additional interim fixes may be available and linked off the interim fix download page.

Workarounds and Mitigations

None