CVE-2024-45086: 
IBM WebSphere Application Server vulnerability analysis and mitigation

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data in the administrative console. The vulnerability, identified as CVE-2024-45086, was discovered by Przemysław Mazurek and publicly disclosed on November 4, 2024. This security flaw affects both versions 8.5 (from 8.5.0.0 to 8.5.5.26) and 9.0 (from 9.0.0.0 to 9.0.5.21) of the WebSphere Application Server (IBM Advisory).

The vulnerability is classified as CWE-611 (Improper Restriction of XML External Entity Reference) with a CVSS v3.1 Base Score of 5.5 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H), no user interaction (UI:N), and affecting only the user scope (S:U). The impact includes high confidentiality impact (C:H) and low availability impact (A:L), with no integrity impact (I:N) (IBM Advisory).

If exploited, this XXE vulnerability could allow a privileged user to expose sensitive information or consume memory resources on the affected system. The attack specifically targets the XML data processing functionality within the administrative console (IBM Advisory).

IBM recommends addressing the vulnerability by either applying an interim fix containing the fix for APAR PH63032, or upgrading to Fix Pack 9.0.5.22 or later (targeted for 4Q2024) for version 9.0, or Fix Pack 8.5.5.27 or later (targeted for 1Q2025) for version 8.5. No workarounds are available for this vulnerability (IBM Advisory).