PH59682:IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to an XML External Entity (XXE) injection vulnerability (CVE-2024-22354 CVSS 7.0)

Download

Downloadable File

File link	File size	File description

Abstract

IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to an XML External Entity (XXE) injection vulnerability (CVE-2024-22354 CVSS 7.0)

Download Description

THIS FIX HAS BEEN SUPERSEDED BY LATER IFIXES

The Liberty fixes on this page are superseded by a fix for another APAR. The links to the Liberty fixes for PH59682 are removed from this page. See PH59682 regressed the <x:transform> tag in pages-3.0 and productInfo -validate fails to find new Liberty fixes that resolve PH59682.

The WebSphere (traditional) fixes on this page are superseded by a fix for another APAR. The links to the links are removed from this page. See PH61385 to find new WebSphere (traditional) fixes that resolve PH59682

View the Security Bulletin

PH59682 resolves the following problem:

ERROR DESCRIPTION:
IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to an XML External Entity (XXE) injection vulnerability (CVE-2024-22354 CVSS 7.0)

LOCAL FIX:

PROBLEM SUMMARY:
IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to an XML External Entity (XXE) injection vulnerability (CVE-2024-22354 CVSS 7.0)

PROBLEM CONCLUSION:
Confidential for CVE-2024-22354.

The fix for this APAR is targeted for inclusion in 8.5.5.26, 9.0.5.20, and 24.0.0.5.

For more information, see Recommended Updates for WebSphere Application Server:
https://www.ibm.com/support/pages/node/715553

THIS FIX HAS BEEN SUPERSEDED BY THE A LATER IFIX

The Liberty fixes on this page are superseded by a fix for another APAR. The links to the Liberty fixes for PH59682 are removed from this page. See PH61042:PH59682 regressed the <x:transform> tag in pages-3.0 to find new Liberty fixes that resolve PH59682.

Prerequisites

None

Problems Solved

PH59682

Change History

23 April 2024 : Add fix files for Liberty 24.0.0.4.

01 May 2024 : Supersede the Liberty fixes with PH61042 and remove the fix links from the page.

21 May 2024: Supersede the WebSphere (traditional) fixes with PH61385 and remove the fix links from the page.

Technical Support

Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF027","label":"Solaris"},{"code":"PF016","label":"Linux"},{"code":"PF017","label":"Mac OS"},{"code":"PF033","label":"Windows"},{"code":"PF014","label":"iOS"},{"code":"PF035","label":"z\/OS"},{"code":"PF010","label":"HP-UX"},{"code":"PF002","label":"AIX"},{"code":"PF012","label":"IBM i"}],"Version":"23.0.0.12;24.0.0.3;8.5.5.24;8.5.5.25;9.0.0.10;9.0.0.11;9.0.0.4;9.0.0.5;9.0.0.6;9.0.0.7;9.0.0.8;9.0.0.9;9.0.5.0;9.0.5.1;9.0.5.10;9.0.5.11;9.0.5.12;9.0.5.13;9.0.5.14;9.0.5.15;9.0.5.16;9.0.5.17;9.0.5.18;9.0.5.19;9.0.5.2;9.0.5.3;9.0.5.4;9.0.5.5;9.0.5.6;9.0.5.7;9.0.5.8;9.0.5.9","Edition":"Base","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]

Problems (APARS) fixed
PH59682

Was this topic helpful?

Document Information

Modified date:
21 May 2024

UID

ibm17148359

Tips