CVE-2023-38737: 
IBM WebSphere App Server vulnerability analysis and mitigation

IBM WebSphere Application Server Liberty versions 22.0.0.13 through 23.0.0.7 was identified with a denial of service vulnerability tracked as CVE-2023-38737. The vulnerability was disclosed on August 15, 2023, and affects the Liberty server when the restfulWS-3.0 or restfulWS-3.1 feature is enabled (IBM Security Bulletin).

The vulnerability is caused by improper handling of specially-crafted requests, which can lead to uncontrolled resource consumption. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) by NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, while IBM assessed it with a CVSS score of 5.9 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-20 (Improper Input Validation) (NVD Database).

When exploited, this vulnerability allows a remote attacker to cause the server to consume memory resources, potentially leading to a denial of service condition. The attack affects the availability of the system while not impacting confidentiality or integrity (IBM Security Bulletin).

IBM recommends addressing the vulnerability by applying the interim fix containing APAR PH56004 or upgrading to Liberty Fix Pack 23.0.0.8 or later. For affected versions (22.0.0.13 - 23.0.0.7), users must either apply the interim fix PH56004 after upgrading to the minimal required fix pack level, or upgrade to Liberty Fix Pack 23.0.0.8 or later. No workarounds are available for this vulnerability (IBM Security Bulletin).