Security Advisory

IBM Product Security Update Advisory

  • Jul 18 2024

Overview

An update has been released to address vulnerabilities in IBM products. Users of the affected versions are advised to upgrade to the latest version.

Affected Products

CVE-2024-37532, CVE-2024-35154

  • IBM WebSphere Application Server version: 9.0
  • IBM WebSphere Application Server version: 8.5

 

CVE-2024-22354

  • IBM WebSphere Application Server version: 9.0
  • IBM WebSphere Application Server version: 8.5
  • IBM WebSphere Application Server Liberty versions: 17.0.0.3 (inclusive) ~ 24.0.0.5 (inclusive)

 

Resolved Vulnerabilities

Vulnerability that could allow identity spoofing of authenticated users due to improper signature verification (CVE-2024-37532)
Vulnerability that could allow a remote authentication attacker with access to the management console to execute arbitrary code (CVE-2024-35154)
Vulnerability in XML External Entity Injection (XXE) attacks when processing XML data that could allow an attacker to expose sensitive information, consume memory resources, or perform server-side request forgery attacks (CVE-2024-22354)

 

Vulnerability Patches

Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
 

 

CVE-2024-37532

  • update based on “Remediation/Fixes” in reference [2]

 

CVE-2024-35154

  • updated based on “Remediation/Fixes” in reference [4]

     

CVE-2024-22354

  • updated based on “Remediation/Fixes” in reference [6]

 

Referenced Sites

[1] CVE-2024-37532 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-37532

[2] Security Bulletin: IBM WebSphere Application Server is vulnerable to identity spoofing (CVE-2024-37532)

https://www.ibm.com/support/pages/node/7158031

[3] cve-2024-35154

security Bulletin: IBM WebSphere Application Server is vulnerable to identity spoofing. https://nvd.nist.gov/vuln/detail/CVE-2024-35154

[4] Security Bulletin: IBM WebSphere Application Server is vulnerable to remote code execution (CVE-2024-35154)

https://www.ibm.com/support/pages/node/7159825

[5] CVE-2024-22354 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-22354

[6] Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to an XML External Entity (XXE) injection vulnerability (CVE-2024-22354)

https://www.ibm.com/support/pages/node/7148426

Tags:

Previous Post

Next Post