Lucene search

IBMF0693B29EFFA13C718008E3C03B4D4BC3862E396D92727DDDB56F1FF9FB35B10

HistoryMay 13, 2024 - 11:42 a.m.

Security Bulletin: A vulnerability in WebSphere Application Server Liberty affect IBM Operations Analytics - Log Analysis (CVE-2024-22354)

2024-05-1311:42:45

www.ibm.com

ibm

websphere

xxe

vulnerability

operations analytics

log analysis

1.3.5.3

1.3.6.0

1.3.6.1

1.3.7.0

1.3.7.1

1.3.7.2

1.3.8.0

1.3.8.1

remediation

upgrade

interim fix

ph61042

7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

7.3 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Summary

IBM WebSphere Application Server Liberty is vulnerable to an XML External Entity (XXE) injection vulnerability.

Vulnerability Details

CVEID:CVE-2024-22354
**DESCRIPTION:**IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.3 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, or to conduct a server-side request forgery attack. IBM X-Force ID: 280401.
CVSS Base score: 7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/280401 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
Log Analysis	1.3.5.3
Log Analysis	1.3.6.0
Log Analysis	1.3.6.1
Log Analysis	1.3.7.0
Log Analysis	1.3.7.1
Log Analysis	1.3.7.2
Log Analysis	1.3.8.0
Log Analysis	1.3.8.1

Remediation/Fixes

Principal Product and Version(s)	Fix details
IBM Operations Analytics - Log Analysis version 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0 and 1.3.8.1

1. For Log Analysis version 1.3.5.3 to 1.3.8.0, download wlp-core-all-23.0.0.12.jar and upgrade the liberty to version 23.0.0.12

2. For Log Analysis version 1.3.5.3 to 1.3.8.1, download 230012-wlp-archive-IFPH61042 and apply the interim fix PH61042 on Liberty 23.0.0.12

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmsmartcloud_analytics_log_analysisMatch1.3.5.3

ibmsmartcloud_analytics_log_analysisMatch1.3.6.0

ibmsmartcloud_analytics_log_analysisMatch1.3.6.1

ibmsmartcloud_analytics_log_analysisMatch1.3.7.0

ibmsmartcloud_analytics_log_analysisMatch1.3.7.1

ibmsmartcloud_analytics_log_analysisMatch1.3.7.2

ibmsmartcloud_analytics_log_analysisMatch1.3.8.0

ibmsmartcloud_analytics_log_analysisMatch1.3.8.1

CPENameOperatorVersion
ibm smartcloud analyticseq1.3.5.3
ibm smartcloud analyticseq1.3.6.0
ibm smartcloud analyticseq1.3.6.1
ibm smartcloud analyticseq1.3.7.0
ibm smartcloud analyticseq1.3.7.1
ibm smartcloud analyticseq1.3.7.2
ibm smartcloud analyticseq1.3.8.0
ibm smartcloud analyticseq1.3.8.1

Name	Operator	Version
ibm smartcloud analytics	eq	1.3.5.3
ibm smartcloud analytics	eq	1.3.6.0
ibm smartcloud analytics	eq	1.3.6.1
ibm smartcloud analytics	eq	1.3.7.0
ibm smartcloud analytics	eq	1.3.7.1
ibm smartcloud analytics	eq	1.3.7.2
ibm smartcloud analytics	eq	1.3.8.0
ibm smartcloud analytics	eq	1.3.8.1

7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

7.3 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for F0693B29EFFA13C718008E3C03B4D4BC3862E396D92727DDDB56F1FF9FB35B10