CVE-2024-22354 - XML External Entity Injection Vulnerability Found in IBM WebSphere Application Server Versions 8.5, 9., and Liberty 17...3 to 24...5

Security researchers have discovered a critical vulnerability in IBM WebSphere Application Server versions 8.5, 9. and IBM WebSphere Application Server Liberty 17...3 through 24...5, identified as CVE-2024-22354. This vulnerability is an XML External Entity Injection (XXE) attack that can be exploited by a remote attacker to expose sensitive information, consume memory resources, or even carry out a server-side request forgery attack.

IBM X-Force ID 280401 highlights the severity of this issue, and this post will provide details of the vulnerability, a code snippet, and links to original references for further information.

Vulnerability Details

An XXE attack occurs when an attacker can exploit the XML data processing capabilities of the targeted application. In this case, the affected IBM WebSphere Application Server is vulnerable to an XXE attack when processing XML data.

A remote attacker could exploit this vulnerability to obtain sensitive information or even trigger a server-side request forgery attack, which could lead to unauthorized access, data leakage, or DoS attacks (i.e., overwhelming the server's resources).

Exploit Details

In order to exploit this vulnerability, an attacker would need to send specially crafted XML data to the vulnerable application. By doing so, they can trigger the XXE attack and access sensitive information or consume memory resources.

Here's a sample code snippet that demonstrates how an attacker could exploit this vulnerability

<?xml version="1." encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

This code snippet demonstrates an XXE attack that attempts to read the "/etc/passwd" file typically found on Linux-based systems. If successful, the attacker would gain access to sensitive information contained within the file, such as user account data.

Mitigation

IBM has released fixes for the affected versions of WebSphere Application Server. Users are advised to apply these fixes immediately to prevent exploitation of this vulnerability.

* IBM WebSphere Application Server 8.5: Fix (https://www.ibm.com/support/pages/node/6397344)
* IBM WebSphere Application Server 9.: Fix (https://www.ibm.com/support/pages/node/6397347)
* IBM WebSphere Application Server Liberty 17...3 through 24...5: Fix (https://www.ibm.com/support/pages/node/639735)

Original References

For further details about this vulnerability and the provided fixes, users can refer to the following resources:

1. IBM Security Vulnerability Description with X-Force ID: 280401 (https://exchange.xforce.ibmcloud.com/vulnerabilities/280401)
2. CVE-2024-22354 Details in the National Vulnerability Database (https://nvd.nist.gov/vuln/detail/CVE-2024-22354)

Conclusion

CVE-2024-22354 is a critical vulnerability affecting IBM WebSphere Application Server versions 8.5, 9., and Liberty 17...3 to 24...5. Exploitation of this vulnerability can lead to unauthorized access, data leakage, or DoS attacks. IBM has provided fixes for the affected versions, and users are advised to apply them as soon as possible. Stay vigilant and be sure to maintain your software in a timely manner to prevent such vulnerabilities from being exploited.

Timeline

Published on: 04/17/2024 01:15:06 UTC
Last modified on: 06/28/2024 20:07:50 UTC