Security Bulletin: Multiple vulnerabilities in IBM WebSphere Liberty impact IBM License Key Server Administration and Reporting Tool and IBM LKS Administration Agent.

Summary

Multiple vulnerabilities in IBM WebSphere Liberty impact IBM License Key Server Administration and Reporting Tool and IBM LKS Administration Agent.

Vulnerability Details

CVEID:CVE-2024-25026
**DESCRIPTION:**IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.4 are vulnerable to a denial of service, caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 281516.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/281516 for the current score.
CVSS Vector:

CVEID:CVE-2024-22329
**DESCRIPTION:**IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.3 are vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, an attacker could exploit this vulnerability to conduct the SSRF attack. X-Force ID: 279951.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279951 for the current score.
CVSS Vector:

CVEID:CVE-2024-22354
**DESCRIPTION:**IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.5 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, or to conduct a server-side request forgery attack. IBM X-Force ID: 280401.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/280401 for the current score.
CVSS Vector:

CVEID:CVE-2024-27268
**DESCRIPTION:**IBM WebSphere Application Server Liberty 18.0.0.2 through 24.0.0.4 is vulnerable to a denial of service, caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 284574.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/284574 for the current score.
CVSS Vector:

CVEID:CVE-2023-50312
**DESCRIPTION:**IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.2 could provide weaker than expected security for outbound TLS connections caused by a failure to honor user configuration. IBM X-Force ID: 274711.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/274711 for the current score.
CVSS Vector:

Affected Products and Versions

Remediation/Fixes

Download and apply Interim Fix Pack IBM_Common_Licensing_ICL_9.0.0.1 from Fix Central

Users are strongly advised to update to the latest version (IBM Common Licensing 9.0.0.1) to mitigate any potential risks associated with this vulnerability.

Workarounds and Mitigations

Upgrade to Websphere Liberty 24.0.0.6

How to upgrade the embedded WebSphere Liberty profile installed with IBM License Key Server Administration and Reporting Tool (ART) and Administration Agent? Please refer to below details on instructions to upgrade Websphere Liberty:

<https://www.ibm.com/support/pages/node/7009455&gt;