CVE-2023-50315: 
IBM WebSphere Application Server vulnerability analysis and mitigation

IBM WebSphere Application Server versions 8.5 and 9.0 contain a vulnerability that could allow an attacker with network access to conduct spoofing attacks. This vulnerability was assigned CVE-2023-50315 and was disclosed on August 14, 2024. The vulnerability affects IBM WebSphere Application Server versions 8.5.0.0 and 9.0.0.0 (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. IBM Corporation assessed it with a slightly lower CVSS score of 5.3 (Medium) with vector string CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-295 (Improper Certificate Validation) (NVD).

An attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information. The vulnerability primarily affects the confidentiality of the system, with potential for high impact on information disclosure (IBM Advisory).

IBM recommends addressing the vulnerability by applying currently available interim fix or fix pack containing APAR PH58798. For version 9.0.0.0 through 9.0.5.20, users should either upgrade to minimal fix pack levels and apply Interim Fix PH58798 or apply Fix Pack 9.0.5.21 or later (targeted for 3Q2024). For version 8.5.0.0 through 8.5.5.26, users should either upgrade to minimal fix pack levels and apply Interim Fix PH58798 or apply Fix Pack 8.5.5.27 or later (targeted for 1Q2025) (IBM Advisory).