CVE-2024-45072: 
IBM WebSphere Application Server vulnerability analysis and mitigation

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. The vulnerability, identified as CVE-2024-45072, was disclosed on October 16, 2024. The affected versions include WebSphere Application Server from version 8.5.0.0 through 8.5.5.26 and version 9.0.0.0 through 9.0.5.21 (IBM Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L. The weakness is categorized as CWE-611: Improper Restriction of XML External Entity Reference. The vulnerability affects multiple operating system platforms including HP-UX, AIX, IBM i, z/OS, Linux, Windows, and Solaris (IBM Advisory).

A privileged user could exploit this vulnerability to expose sensitive information or consume memory resources. The vulnerability primarily affects the confidentiality and availability of the system, with high impact on data confidentiality and low impact on system availability (IBM Advisory).

IBM recommends addressing the vulnerability by either applying an interim fix containing the fix for APAR PH63541, or upgrading to Fix Pack 9.0.5.22 or later (targeted for 4Q2024) for version 9.0, or Fix Pack 8.5.5.27 or later (targeted for 1Q2025) for version 8.5. No workarounds are available for this vulnerability (IBM Advisory).