CVE-2023-50313: 
IBM WebSphere App Server vulnerability analysis and mitigation

IBM WebSphere Application Server versions 8.5 and 9.0 contain a security vulnerability (CVE-2023-50313) that could provide weaker than expected security for outbound TLS connections. The vulnerability was disclosed on April 2, 2024, and is caused by a failure to honor user configuration. This affects both traditional WebSphere Application Server installations across multiple platforms including AIX, HP-UX, IBM i, Linux, Solaris, Windows, and z/OS (IBM Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 MEDIUM (NIST) and 5.3 MEDIUM (IBM Corporation) with a vector string of CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is tracked under IBM X-Force ID: 274812 and is classified under CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) (NVD, IBM Advisory).

The vulnerability affects the security of outbound TLS connections in WebSphere Application Server environments. When exploited, it could result in weaker than intended security for TLS connections due to the system's failure to properly implement user-configured security settings (IBM Advisory).

IBM recommends addressing the vulnerability by applying currently available interim fix or fix pack containing APAR PH61385. For V9.0.0.0 through 9.0.5.19, users should either upgrade to minimal fix pack levels and apply Interim Fix PH61385 or apply Fix Pack 9.0.5.20 or later (targeted for 2Q2024). For V8.5.0.0 through 8.5.5.25, users should either upgrade to minimal fix pack levels and apply Interim Fix PH61385 or apply Fix Pack 8.5.5.26 or later (targeted for 3Q2024) (IBM Advisory).