Lucene search

IBM39A4E734A59598297D9706102C6D690846DC00A78C9C5B61025A686F75B770BF

HistoryNov 09, 2023 - 7:30 p.m.

Security Bulletin: Multiple vulnerabilities in Eclipse Jetty affect IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow

2023-11-0919:30:17

www.ibm.com

ibm process designer

eclipse jetty

ibm business automation workflow

http request smuggling

denial of service

web cache

xss attacks

ibm

security bulletin

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.3

Confidence

High

EPSS

0.005

Percentile

76.3%

JSON

Summary

There are multiple vulnerabilities in Eclipse Jetty, which is used by the desktop version of IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow. IBM Process Designer has addressed the applicable CVE.

Vulnerability Details

CVEID:CVE-2023-40167
**DESCRIPTION:**Jetty is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP/1 request header. By sending a specially crafted request, a remote attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-36478
**DESCRIPTION:**Eclipse Jetty is vulnerable to a denial of service, caused by an integer overflow and buffer allocation in MetaDataBuilder.checkSize. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268413 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM Process Designer 8.5.7 is shipped with the following versions of IBM Business Automation Workflow

Affected Product(s)	Version(s)
IBM Business Automation Workflow	19.0.0.3 - 23.0.1

Remediation/Fixes

IBM strongly recommends addressing the vulnerabilities now.

IBM Process Designer Version(s)	IBM Business Automation Workflow Version(s)	Remediation/Fix/Instructions
8.5.7	23.0.1

Download interim fix DT241178 and follow instructions in the readme file.

8.5.7| 21.0.3|

Download interim fix DT241178 and follow instructions in the readme file.

IBM Process Designer is shipped with IBM Business Automation Workflow.

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmbusiness_automation_workflowMatch18.0.0.1

ibmbusiness_automation_workflowMatch18.0.0.2

ibmbusiness_automation_workflowMatch19.0.0.1

ibmbusiness_automation_workflowMatch19.0.0.2

ibmbusiness_automation_workflowMatch19.0.0.3

ibmbusiness_automation_workflowMatch20.0.0.1

ibmbusiness_automation_workflowMatch20.0.0.2

ibmbusiness_automation_workflowMatch21.0.1

ibmbusiness_automation_workflowMatch21.0.2

ibmbusiness_automation_workflowMatch21.0.3

ibmbusiness_automation_workflowMatch22.0.1

ibmbusiness_automation_workflowMatch22.0.2

ibmbusiness_automation_workflowMatch23.0.1

VendorProductVersionCPE
ibmbusiness_automation_workflow18.0.0.1cpe:2.3:a:ibm:business_automation_workflow:18.0.0.1:*:*:*:*:*:*:*
ibmbusiness_automation_workflow18.0.0.2cpe:2.3:a:ibm:business_automation_workflow:18.0.0.2:*:*:*:*:*:*:*
ibmbusiness_automation_workflow19.0.0.1cpe:2.3:a:ibm:business_automation_workflow:19.0.0.1:*:*:*:*:*:*:*
ibmbusiness_automation_workflow19.0.0.2cpe:2.3:a:ibm:business_automation_workflow:19.0.0.2:*:*:*:*:*:*:*
ibmbusiness_automation_workflow19.0.0.3cpe:2.3:a:ibm:business_automation_workflow:19.0.0.3:*:*:*:*:*:*:*
ibmbusiness_automation_workflow20.0.0.1cpe:2.3:a:ibm:business_automation_workflow:20.0.0.1:*:*:*:*:*:*:*
ibmbusiness_automation_workflow20.0.0.2cpe:2.3:a:ibm:business_automation_workflow:20.0.0.2:*:*:*:*:*:*:*
ibmbusiness_automation_workflow21.0.1cpe:2.3:a:ibm:business_automation_workflow:21.0.1:*:*:*:*:*:*:*
ibmbusiness_automation_workflow21.0.2cpe:2.3:a:ibm:business_automation_workflow:21.0.2:*:*:*:*:*:*:*
ibmbusiness_automation_workflow21.0.3cpe:2.3:a:ibm:business_automation_workflow:21.0.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	business_automation_workflow	18.0.0.1	cpe:2.3:a:ibm:business_automation_workflow:18.0.0.1:::::::*
ibm	business_automation_workflow	18.0.0.2	cpe:2.3:a:ibm:business_automation_workflow:18.0.0.2:::::::*
ibm	business_automation_workflow	19.0.0.1	cpe:2.3:a:ibm:business_automation_workflow:19.0.0.1:::::::*
ibm	business_automation_workflow	19.0.0.2	cpe:2.3:a:ibm:business_automation_workflow:19.0.0.2:::::::*
ibm	business_automation_workflow	19.0.0.3	cpe:2.3:a:ibm:business_automation_workflow:19.0.0.3:::::::*
ibm	business_automation_workflow	20.0.0.1	cpe:2.3:a:ibm:business_automation_workflow:20.0.0.1:::::::*
ibm	business_automation_workflow	20.0.0.2	cpe:2.3:a:ibm:business_automation_workflow:20.0.0.2:::::::*
ibm	business_automation_workflow	21.0.1	cpe:2.3:a:ibm:business_automation_workflow:21.0.1:::::::*
ibm	business_automation_workflow	21.0.2	cpe:2.3:a:ibm:business_automation_workflow:21.0.2:::::::*
ibm	business_automation_workflow	21.0.3	cpe:2.3:a:ibm:business_automation_workflow:21.0.3:::::::*