IBM WebSphere Application Server Liberty information disclosure

Vulnerability

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 24.0.0.2 do not properly honor user configuration for outbound TLS connections [1]. This causes the server to negotiate TLS connections with weaker security than what the administrator intended, potentially allowing the use of deprecated protocols or cipher suites.

Exploitation

An attacker with adjacent network access (CVSS:AV:A) and prior knowledge of the outbound connection timing can exploit this vulnerability. The complexity is high (CVSS:AC:H) as the attacker must position themselves to intercept or modify the TLS handshake. No authentication or user interaction is required. The failure to enforce the configured TLS settings allows the attacker to potentially downgrade the security of the connection [1].

Impact

Successful exploitation of this vulnerability results in a high confidentiality impact (CVSS:C:H). An attacker may obtain sensitive information transmitted over the vulnerable outbound TLS connection, as the weakened security could expose the data in transit. Integrity and availability are not affected [1].

Mitigation

IBM recommends upgrading to Liberty Fix Pack 24.0.0.3 or later, which contains the fix for APAR PH58870. Alternatively, apply Interim Fix PH60113 to the current installation. No workarounds are available [1].