IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 could allow a remote attacker to bypass security restrictions caused by a failure to honor JMS messaging configuration
Fixes

Solution

IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH67546. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature. For IBM WebSphere Application Server Liberty 17.0.0.3 - 25.0.0.8 using the wasJmsServer-1.0, wasJmsSecurity-1.0, wasJmsClient-2.0, messagingServer-3.0, messagingSecurity-3.0, or messagingClient-3.0 feature(s): · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH67546 --OR-- · Apply Liberty Fix Pack 25.0.0.9 or later (targeted availability 3Q2025). Additional interim fixes may be available and linked off the interim fix download page.


Workaround

No workaround given by the vendor.

History

Thu, 14 Aug 2025 06:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:*

Tue, 12 Aug 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 12 Aug 2025 19:00:00 +0000

Type Values Removed Values Added
Description IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 could allow a remote attacker to bypass security restrictions caused by a failure to honor JMS messaging configuration
Title IBM WebSphere Application Server Liberty bypass security
First Time appeared Ibm
Ibm websphere Application Server
Weaknesses CWE-268
CPEs cpe:2.3:a:ibm:websphere_application_server:17.0.0.3:*:*:*:liberty:*:*:*
cpe:2.3:a:ibm:websphere_application_server:25.0.0.7:*:*:*:liberty:*:*:*
Vendors & Products Ibm
Ibm websphere Application Server
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2025-08-12T20:37:21.958Z

Reserved: 2025-04-15T21:16:18.171Z

Link: CVE-2025-36124

cve-icon Vulnrichment

Updated: 2025-08-12T19:00:12.355Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-12T19:15:29.457

Modified: 2025-08-14T01:23:45.570

Link: CVE-2025-36124

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.