CVE-2024-22353: 
IBM WebSphere App Server vulnerability analysis and mitigation

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 24.0.0.4 is affected by a denial of service vulnerability (CVE-2024-22353). The vulnerability was discovered and initially published on March 31, 2024, with the latest update on April 23, 2024. This security issue specifically affects installations with the openidConnectClient-1.0 or socialLogin-1.0 feature enabled (IBM Advisory).

The vulnerability is caused by improper handling of specially crafted requests that can lead to excessive memory consumption. The severity assessment according to CVSS 3.1 has two different scores: NIST rates it as HIGH with a base score of 7.5 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), while IBM Corporation rates it as MEDIUM with a base score of 5.9 (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

When exploited, this vulnerability allows a remote attacker to cause the server to consume memory resources, potentially leading to a denial of service condition. The attack can be executed remotely without requiring authentication or user interaction (NVD).

IBM recommends addressing the vulnerability by either applying the interim fix PH59146 or upgrading to Liberty Fix Pack 24.0.0.5 or later (targeted availability 2Q2024). For the interim fix approach, users must first upgrade to the minimal fix pack levels as required. No workarounds are available for this vulnerability (IBM Advisory).