Lucene search

K
ibmIBM1D9D1AD0ACE91D239538DC610B585D70BC08A0714F0F37D5A811234FA1BAFEF7
HistoryFeb 02, 2024 - 10:47 a.m.

Security Bulletin: Multiple vulnerabilities in nodejs packages affect IBM Business Automation Workflow - CVE-2023-26159, CVE-2023-45857

2024-02-0210:47:59
www.ibm.com
8
ibm business automation workflow
center
interfaces
package
vulnerable
open redirect
cross-site request forgery
nodejs
packages
cve-2023-26159
cve-2023-45857

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

28.4%

Summary

IBM Business Automation Workflow Workflow Center user interfaces package vulnerable versions of open source dependencies.

Vulnerability Details

**CVEID:**CVE-2023-26159 DESCRIPTION: follow-redirects could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/278622 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L)

**CVEID:**CVE-2023-45857 DESCRIPTION: Axios is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By inserting the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in all requests to any server when the XSRF-TOKEN0 cookie is available, and the withCredentials setting is turned on, an attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270574 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s) Status
IBM Business Automation Workflow containers V23.0.2
V23.0.1 all fixes
V22.0.2 all fixes
V22.0.1 all fixes
V21.0.3 - V21.0.3-IF028 affected
IBM Business Automation Workflow traditional V23.0.1 - V23.0.2
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.1 affected
IBM Business Automation Workflow Enterprise Service Bus V23.0.1 - V23.0.2
V22.0.2 Not affected

For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing Known Issue DT257576 as soon as practical.

Note that DT257576 supersedes DT258079.

Affected Product(s) Version(s) Remediation / Fix
IBM Business Automation Workflow containers V23.0.2 Apply 23.0.2-IF001
IBM Business Automation Workflow containers V21.0.3 Apply 21.0.3-IF029
or upgrade to 23.0.2-IF001 or later
IBM Business Automation Workflow containers V23.0.1
V22.0.1 - V22.0.2
V21.0.1 - V21.0.2
V20.0.0.1 - V20.0.0.2 Upgrade to 21.0.3-IF029
or upgrade to 23.0.2-IF001 or later
IBM Business Automation Workflow traditional and IBM Business Automation Workflow Enterprise Service Bus V23.0.2 Apply DT257576
Note that DT257576 supersedes DT258079.
IBM Business Automation Workflow traditional V21.0.3.1 Apply DT257576
Note that DT257576 supersedes DT258079.
IBM Business Automation Workflow traditional V23.0.1
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.0
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3
V18.0.0.1 - V18.0.0.3 Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmbusiness_automation_workflowMatch22.0.2enterprise_service_bus
OR
ibmbusiness_automation_workflowMatch23.0.1enterprise_service_bus
OR
ibmbusiness_automation_workflowMatch23.0.2enterprise_service_bus
VendorProductVersionCPE
ibmbusiness_automation_workflow22.0.2cpe:2.3:a:ibm:business_automation_workflow:22.0.2:*:*:*:enterprise_service_bus:*:*:*
ibmbusiness_automation_workflow23.0.1cpe:2.3:a:ibm:business_automation_workflow:23.0.1:*:*:*:enterprise_service_bus:*:*:*
ibmbusiness_automation_workflow23.0.2cpe:2.3:a:ibm:business_automation_workflow:23.0.2:*:*:*:enterprise_service_bus:*:*:*

CVSS3

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

28.4%