Lucene search

IBM06DD0EB590DA575E0373B00817685BC874D57197F948F6617352D1F0A74950FE

HistoryJun 10, 2024 - 10:46 p.m.

Security Bulletin: Multiple vulnerabilities in IBM MQ affect IBM Robotic Process Automation.

2024-06-1022:46:58

www.ibm.com

ibm mq

robotic process automation

vulnerabilities

denial of service

confidentiality impact

integrity impact

availability impact

security fixes

java se

jsse

eclipse openj9

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

28.7%

JSON

Summary

Multiple vulnerabilities in IBM MQ affect IBM Robotic Process Automation. IBM MQ is used by IBM Robotic Process Automation for message queueing. This bulletin identifies the security fixes to apply to address the vulnerability.

Vulnerability Details

CVEID:CVE-2023-5072
**DESCRIPTION:**JSON-java is vulnerable to a denial of service, caused by a bug in the parser. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268485 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-22081
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow a remote attacker to cause no confidentiality impact, no integrity impact, and low availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268929 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-5676
**DESCRIPTION:**Eclipse OpenJ9 is vulnerable to a denial of service, caused by a flaw when a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause an infinite busy hang on a spinlock or a segmentation fault.
CVSS Base score: 4.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271615 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Robotic Process Automation for Cloud Pak	21.0.0 - 21.0.7.14, 23.0.0 - 23.0.14
IBM Robotic Process Automation	21.0.0 - 21.0.7.14, 23.0.0 - 23.0.14

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product(s)	Version(s) number and/or range	Remediation/Fix/Instructions
IBM Robotic Process Automation	21.0.0 - 21.0.7.14	Update IBM MQ to release 9.3.4.1 or higher.
IBM Robotic Process Automation for Cloud Pak	21.0.0 - 21.0.7.14	Update to 21.0.7.15 or higher using the following instructions.
IBM Robotic Process Automation	23.0.0 - 23.0.14	Update IBM MQ to release 9.3.4.1 or higher.

IBM Robotic Process Automation for Cloud Pak

| 23.0.0 - 23.0.14| Update to 23.0.15 or higher using the following instructions.

Workarounds and Mitigations

None.

Affected configurations

Vulners

Node

ibmrobotic_process_automationMatch21.0.0

ibmrobotic_process_automationMatch21.0.7.14

ibmrobotic_process_automationMatch23.0.0

ibmrobotic_process_automationMatch23.0.14

CPENameOperatorVersion
ibm robotic process automationeq21.0.0
ibm robotic process automationeq21.0.7.14
ibm robotic process automationeq23.0.0
ibm robotic process automationeq23.0.14

Name	Operator	Version
ibm robotic process automation	eq	21.0.0
ibm robotic process automation	eq	21.0.7.14
ibm robotic process automation	eq	23.0.0
ibm robotic process automation	eq	23.0.14