—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Vulnerability in IBM WebSphere Application Server 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

IBM WebSphere Application Server (versions 8.5 and 9.0)

IBM WebSphere Application Server Liberty (versions 21.0.0.3 ¿ 26.0.0.2)

Overview

A vulnerability has been reported in IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, which could allow remote attackers to cause a denial-of-service (DoS) condition by sending specially crafted JWE tokens.

Target Audience:

Organizations and individuals using IBM WebSphere Application Server and IBM WebSphere Application Server Liberty.

Risk Assessment:

High risk of service disruption and potential application instability.

Impact Assessment:

Potential impact on confidentiality, integrity, availability of the system and application outages.

Description

IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are enterprise application servers that support critical business applications and web services across various industries. These platforms rely on third-party libraries, including jose4j, to process JSON Web Encryption (JWE) tokens for secure communications.

The reported vulnerability arises from improper handling of specially crafted JWE tokens with excessive compression ratios in the bundled jose4j library. An attacker can exploit this weakness by sending malicious requests that trigger excessive memory allocation and processing time during token decompression.

Successful exploitation of this vulnerability could allow the attacker to cause a denial-of-service (DoS) condition.

Solution

Apply appropriate updates as mentioned in IBM Advisory:

https://www.ibm.com/support/pages/node/7261794

Vendor Information

IBM

https://www.ibm.com/support/pages/node/7261794

References

 

https://www.ibm.com/support/pages/node/7261794

CVE Name

CVE-2024-29371

 

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmmhruAACgkQ3jCgcSdc

ys/7AhAAifU/ReurwHl77v6yunQZ+xGcNX/uUlfTLx3ATJSucYKQXDZByNIfSROi

5VZ3fXxk/TT5OPHZxuRtZ9j1ULB+QA0aYSLmsPreDFzVzeEhtIibmMswIxvEQ0r5

7ZQZdfF/e8Qflkq/xxo5md8NNCkWtIUo+EI+j2HZSWIhqJbWgvCzmWnEmyGDJGpp

TcUHkUowgwc6EvxHXSWQhfCs5qoKdsCEGQiWgQqZG08Oz7eq8IlB3ptbu36mAXjL

Pr+is2XSiM7Nw0lQ9ThofAodiuv3YUtfsnHEOSgpQjIK2749mCbFVacRJbTyPy5k

O7SAqLSO5c/mmhhBDN+TrL5lxshyIsjok1wcf16xxtZCvNDeRmyLV/NdPanJooLh

qw4lnRqfrG4vIEgqBqhI1zZS+Snq5B1QP+6B90/j5ffi6vcKh7b61pQHEWfrwzGJ

pO/2Vx9eWs0JCbMwBYN3JqTcSF6xXuruv3AAIwnQlJ0KYLVc3OL1fdbGWHiQx+AW

KCnO5K2HtnrQMHs5CFcrOJUpOKoFRvEeKbvynic7gdaUqFYkZZe+mfsjMpvWv37y

jEzM711IXVIaL4XtckAaL+KUbGJMslfziiNA7xWzW/Y71hVwi/CpzBwqSBH3SAmN

8QP2qGDjmMY1EBQjYT4aSFpMH4xo9Jk+VAd5vT6mjCZ2tKXGaJg=

=mpCZ

—–END PGP SIGNATURE—–