Lucene search

IBM0ED27FC5D4CB41A6057650D344B5798B89AC10F75F1FB1E5D73B04E023FF8A6B

HistoryJun 29, 2023 - 5:28 p.m.

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to Go [CVE-2023-24539 and CVE-2023-24540]

2023-06-2917:28:53

www.ibm.com

platform navigator

automation assets

ibm cloud pak

vulnerable

remote code injection

fixes

lts

upgrade

operator

ibm documentation

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

65.6%

JSON

Summary

Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to remote code injection due to Go [CVE-2023-24539 and CVE-2023-24540], with details below. IBM has addressed the vulnerabilities.

Vulnerability Details

CVEID:CVE-2023-24539
**DESCRIPTION:**Go is vulnerable to HTML injection. A remote attacker could inject malicious HTML code into a template containing multiple actions separated by a ‘/’ character, which when viewed, would execute in the victim’s Web browser within the security context of the hosting site.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256136 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2023-24540
**DESCRIPTION:**Go is vulnerable to HTML injection. A remote attacker could inject malicious HTML code into a template containing whitespace characters outside of the character set “\t\n\f\r\u0020\u2028\u2029”, which when viewed, would execute in the victim’s Web browser within the security context of the hosting site.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256132 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
Platform Navigator in IBM Cloud Pak for Integration (CP4I)	2021.2.1
2021.4.1
2022.2.1
2022.4.1
Automation Assets in IBM Cloud Pak for Integration (CP4I)	2021.2.1
2021.4.1
2022.2.1

Remediation/Fixes

Platform Navigator in IBM Cloud Pak for Integration

Upgrade Platform Navigator to either the LTS or CD version:

LTS: 2022.2.1-11 using the Operator upgrade process described in the IBM Documentation

<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.2?topic=upgrading-platform-ui>

CD: 2023.2.1-0 using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2023.2?topic=upgrading-platform-ui>

Automation Assets version****in IBM Cloud Pak for Integration

Upgrade Automation Assets Operator to 2022.2.1-10 using the Operator upgrade process described in the IBM Documentation

<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.2?topic=capabilities-upgrading-automation-assets>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmcloud_pak_for_automationMatch2021.2.12021.4.12022.2.12022.4.1

ibmcloud_pak_for_automationMatch2021.2.12021.4.12022.2.1

CPENameOperatorVersion
platform navigator in ibm cloud pak for integration (cp4i)eq2021.2.12021.4.12022.2.12022.4.1
automation assets in ibm cloud pak for integration (cp4i)eq2021.2.12021.4.12022.2.1

CPE	Name	Operator	Version
	platform navigator in ibm cloud pak for integration (cp4i)	eq	2021.2.12021.4.12022.2.12022.4.1
	automation assets in ibm cloud pak for integration (cp4i)	eq	2021.2.12021.4.12022.2.1