CVE-2024-22329: IBM WebSphere Application Server SSRF Flaw

CVE-2024-22329 Overview

CVE-2024-22329 is a Server-Side Request Forgery (SSRF) vulnerability affecting IBM WebSphere Application Server. The flaw exists in IBM WebSphere Application Server versions 8.5 and 9.0, as well as IBM WebSphere Application Server Liberty versions 17.0.0.3 through 24.0.0.3. An attacker on an adjacent network can send a specially crafted request to coerce the server into issuing unintended outbound requests. IBM tracks this issue as X-Force ID 279951. The vulnerability is classified under CWE-918 (Server-Side Request Forgery).

Critical Impact

An adjacent network attacker can abuse the WebSphere request handler to reach internal services, exposing limited confidential information from systems reachable by the application server.

Affected Products

• IBM WebSphere Application Server 8.5 (traditional)
• IBM WebSphere Application Server 9.0 (traditional)
• IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.3

Discovery Timeline

• 2024-04-17 - CVE-2024-22329 published to NVD
• 2025-03-06 - Last updated in NVD database

Technical Details for CVE-2024-22329

Vulnerability Analysis

The vulnerability is a Server-Side Request Forgery (SSRF) weakness in the request handling logic of IBM WebSphere Application Server. The server processes a crafted request and initiates an outbound HTTP request to a destination chosen by the attacker. The attacker does not need authentication to trigger the flaw, but they must reside on an adjacent network segment relative to the target. Successful exploitation can disclose limited information about internal services reachable from the application server. The impact is constrained to confidentiality, with no direct effect on data integrity or service availability based on the scoring vector.

The issue carries an EPSS probability of approximately 0.036%, indicating low observed exploitation likelihood in the wild. It is not listed in the CISA Known Exploited Vulnerabilities catalog, and no public proof-of-concept is currently available.

Root Cause

The root cause is insufficient validation of URL or host parameters consumed by a server-side component that performs outbound network requests. When the server accepts attacker-controlled destination data without enforcing an allowlist or origin restrictions, it acts as a proxy on behalf of the attacker. This pattern is the defining characteristic of CWE-918.

Attack Vector

The attack vector is Adjacent Network, meaning the attacker must have access to the same broadcast or collision domain, or a logically adjacent network, as the WebSphere instance. The attacker sends a single crafted HTTP request to a vulnerable endpoint. The server then issues an outbound request that the attacker can use to probe internal infrastructure, fingerprint services, or retrieve metadata from internal endpoints. No user interaction or prior privileges are required.

No verified proof-of-concept code is publicly available. Refer to the IBM X-Force Vulnerability #279951 entry for additional technical context.

Detection Methods for CVE-2024-22329

Indicators of Compromise

• Unexpected outbound HTTP or HTTPS connections originating from the WebSphere Application Server process to internal IP ranges or cloud metadata endpoints such as 169.254.169.254.
• HTTP access logs containing requests with URL, host, or redirect parameters pointing to internal hostnames or non-public IP addresses.
• Spikes in short-lived outbound connections from the application server to RFC1918 ranges that do not match documented integration patterns.

Detection Strategies

• Inspect WebSphere SystemOut.log and HTTP access logs for request parameters that contain fully qualified URLs or IP literals supplied by remote clients.
• Correlate inbound HTTP requests with outbound connections from the WebSphere JVM using network flow data to identify proxy-like behavior.
• Apply web application firewall rules that flag parameters carrying URL schemes (http://, https://, file://, gopher://) targeting internal address space.

Monitoring Recommendations

• Forward WebSphere application logs and host network telemetry to a centralized analytics platform for correlation against SSRF detection rules.
• Alert on any outbound traffic from the application server to cloud instance metadata services or management interfaces.
• Track version inventory for WebSphere traditional and Liberty deployments to confirm that all instances are within the supported patched range.

How to Mitigate CVE-2024-22329

Immediate Actions Required

• Apply the interim fix or cumulative fix referenced in the IBM Support Advisory #7148380 to all affected WebSphere traditional and Liberty deployments.
• Restrict network access to WebSphere administrative and application interfaces so that only trusted adjacent hosts can reach them.
• Audit application code and configuration for endpoints that accept URL-style parameters from untrusted callers.

Patch Information

IBM has published remediation guidance in IBM Support Advisory #7148380. Administrators should apply the interim fix for the affected version stream of WebSphere Application Server traditional (8.5, 9.0) or upgrade WebSphere Application Server Liberty beyond the 24.0.0.3 fix level as directed by IBM. Validate fix application by checking the installed product version after patching.

Workarounds

• Enforce egress filtering on the application server tier to deny outbound connections to internal management ranges and cloud metadata endpoints.
• Place WebSphere endpoints behind a reverse proxy or WAF configured to reject request parameters containing inline URLs or unexpected schemes.
• Segment the network so that WebSphere instances cannot directly reach sensitive internal services unless explicitly required by an integration.

# Example egress restriction using iptables to block metadata service access
iptables -A OUTPUT -m owner --uid-owner wasuser -d 169.254.169.254 -j REJECT
iptables -A OUTPUT -m owner --uid-owner wasuser -d 10.0.0.0/8 -p tcp --dport 22 -j REJECT