Summary WebSphere Liberty is used by IBM Cloud Pak System as part of the WebSphere Liberty pattern type using GraphQL Java (CVE-2024-40094). Vulnerability Details CVEID:CVE-2024-40094 DESCRIPTION: GraphQL Java (aka graphql-java) is vulnerable to a denial of service, caused by the failure to properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service. By using introspection queries, a remote attacker could exploit this vulnerability to cause a denial of service. CWE:CWE-20: Improper Input Validation CVSS Source: IBM X-Force CVSS Base score: 5.3 CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Affected Products and Versions Affected Product(s)| Version(s) (Power) —|— IBM Cloud Pak System| 2.3.3.7 2.3.3.7 Ifix1 IBM Cloud Pak System| 2.3.3.6 2.3.3.6 iFIx1 2.3.3.6 iFix2 IBM Cloud Pak System| 2.3.4.0 IBM Cloud Pak System| 2.3.4.1 2.3.4.1 IFix1 Remediation/Fixes IBM strongly recommends addressing the vulnerability now by applying the fix reported below. For Power, upgrade/migrate to Cloud Pak System 2.3.5.0 on Fix Central / Passport Advantage Online information on upgrading at https://www.ibm.com/support/docview.wss?uid=ibm10887959 download and apply interim fix PH63673 at PH63673:IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to GraphQL Java (CVE-2024-40094 CVSS 5.3) follow instructions at:https://www.ibm.com/docs/en/cloud-pak-system-software/2.3.5?topic=fixes-applying-virtual-system-instances…Read More