CVE-2023-50314: 
IBM WebSphere Application Server vulnerability analysis and mitigation

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 24.0.0.8 is affected by a security vulnerability that could allow network-based attackers to conduct spoofing attacks. The vulnerability was assigned CVE-2023-50314 and was publicly disclosed on August 14, 2024. This vulnerability specifically affects the Liberty component of WebSphere Application Server and involves certificate validation issues (IBM Security).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH by NVD and 5.3 MEDIUM by IBM Corporation. The vulnerability's attack vector is through adjacent network access, with high attack complexity, requiring no privileges or user interaction. The scope is unchanged, with potential high impact on confidentiality but no impact on integrity or availability. The CVSS vector string is CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is related to improper certificate validation (CWE-295) (NVD).

An attacker with access to the network could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information. The primary impact is on the confidentiality of data, potentially leading to information disclosure (IBM Security, X-Force Exchange).

IBM strongly recommends addressing the vulnerability by applying currently available interim fix or fix pack containing APAR PH58796. Users can either upgrade to minimal fix pack levels and apply Interim Fix PH58796, or apply Liberty Fix Pack 24.0.0.9 or later (targeted availability 3Q2024). No workarounds are available for this vulnerability (IBM Security).