Summary There is a vulnerability in the GraphQL Java library used by IBM WebSphere Application Server Liberty shipped with IBM Operations Analytics – Log Analysis. Vulnerability Details CVEID:CVE-2024-40094 DESCRIPTION: GraphQL Java (aka graphql-java) is vulnerable to a denial of service, caused by the failure to properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service. By using introspection queries, a remote attacker could exploit this vulnerability to cause a denial of service. CWE:CWE-20: Improper Input Validation CVSS Source: IBM X-Force CVSS Base score: 5.3 CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Affected Products and Versions Affected Product(s)| Version(s) —|— Log Analysis| 1.3.7.0 Log Analysis| 1.3.7.1 Log Analysis| 1.3.7.2 Log Analysis| 1.3.8.0 Log Analysis| 1.3.8.1 Remediation/Fixes Principal Product and Version(s)| Fix details —|— IBM Operations Analytics – Log Analysis version 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0, 1.3.8.1| Upgrade the liberty version to WebSphere Application Server Liberty 24.0.0.12 (use wlp-core-all-24.0.0.12.jar) by following these steps Reference: Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to GraphQL Java (CVE-2024-40094) Workarounds and Mitigations…Read More