Lucene search

IBM210E8665C3EF04D47AF1B8CFAC016FFCAC9D7558C131AA1E5DC1DFDA5A768FD8

HistoryOct 09, 2023 - 10:58 a.m.

Security Bulletin: Vulnerability in iText affects IBM Process Mining . CVE-2022-24197

2023-10-0910:58:10

www.ibm.com

itext

denial of service

ibm process mining

security fixes

cve-2022-24197

stack-based buffer overflow

pdf files

cvss 5.5

remote attacker

vulnerability

ibm

process mining 1.14.2

passportadvantage

install instructions

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

0.002 Low

EPSS

Percentile

61.3%

JSON

Summary

There is a vulnerability in iText that could allow a remote attacker to execute a denial of service. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability.

Vulnerability Details

CVEID:CVE-2022-24197
**DESCRIPTION:**iText is vulnerable to a denial of service, caused by a stack-based buffer overflow when parsing PDF files in the ByteBuffer.append component. By persuading a victim to open a specially-crafted PDF file, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/218650 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Process Mining

1.14.1,

1.14.0, 1.13.2, 1.13.1, 1.13.0, 1.12.0.5, 1.12.0.4

Remediation/Fixes

Remediation/Fixes guidance:

Product(s)	Version(s) number and/or range	Remediation/Fix/Instructions
IBM Process Mining

1.14.1,

1.14.0, 1.13.2, 1.13.1, 1.13.0, 1.12.0.5, 1.12.0.4

Upgrade to version 1.14.2

1.Login to PassPortAdvantage

2. Search for
M0FHQML
Process Mining 1.14.2 Server Multiplatform Multilingual

3. Download package

4. Follow install instructions

5. Repeat for M0FHRML Process Mining 1.14.2 Client Windows Multilingual

| |

Workarounds and Mitigations

Workarounds/Mitigation guidance:

None known

Affected configurations

Vulners

Node

ibmcloud_pak_for_automationMatch1.14.1

ibmcloud_pak_for_automationMatch1.14.0

ibmcloud_pak_for_automationMatch1.13.2

ibmcloud_pak_for_automationMatch1.13.1

ibmcloud_pak_for_automationMatch1.13.0

ibmcloud_pak_for_automationMatch1.12.0.5

ibmcloud_pak_for_automationMatch1.12.0.4

CPENameOperatorVersion
ibm cloud pak for automationeq1.14.1
ibm cloud pak for automationeq1.14.0
ibm cloud pak for automationeq1.13.2
ibm cloud pak for automationeq1.13.1
ibm cloud pak for automationeq1.13.0
ibm cloud pak for automationeq1.12.0.5
ibm cloud pak for automationeq1.12.0.4

Name	Operator	Version
ibm cloud pak for automation	eq	1.14.1
ibm cloud pak for automation	eq	1.14.0
ibm cloud pak for automation	eq	1.13.2
ibm cloud pak for automation	eq	1.13.1
ibm cloud pak for automation	eq	1.13.0
ibm cloud pak for automation	eq	1.12.0.5
ibm cloud pak for automation	eq	1.12.0.4

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

0.002 Low

EPSS

Percentile

61.3%

JSON

Related for 210E8665C3EF04D47AF1B8CFAC016FFCAC9D7558C131AA1E5DC1DFDA5A768FD8