CVE-2023-30441: 
IBM WebSphere App Server vulnerability analysis and mitigation

IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE components version 8.0.7.0 through 8.0.7.11 were found to contain a vulnerability that could expose sensitive information through a combination of flaws and configurations. This vulnerability was assigned CVE-2023-30441 and was disclosed in April 2023. The affected systems include IBM WebSphere Application Server, IBM WebSphere Application Server Liberty, z/Transaction Processing Facility, and IBM InfoSphere Information Server (IBM Security Bulletin).

The vulnerability has been assigned a CVSS Base score of 7.5 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability is network accessible, requires low attack complexity, needs no privileges or user interaction, and can result in high confidentiality impact without affecting integrity or availability (IBM Security Bulletin, NVD).

The vulnerability could allow an attacker to expose sensitive information through the IBMJCEPlus and JSSE components. The high confidentiality impact rating suggests that the exposure of sensitive information could be significant (IBM Security Bulletin).

IBM has released version 8.0.7.15 to address this vulnerability. For systems that cannot be immediately updated, a workaround exists by modifying the security provider order in the jre/lib/security/java.security file to prefer the IBMJCE provider over the IBMJCEPlus provider. For specific products, various fixes are available: WebSphere Application Server users should upgrade to IBM SDK Java Technology Edition Version 8 SR7 FP15 or later, z/TPF users should apply APAR PJ46945 or later, and InfoSphere Information Server users should apply APAR DT173374 (IBM Security Bulletin, IBM WAS Bulletin).