CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
69.9%
IBM Business Automation Workflow packages a vulnerable copy of spring-expressions in BPM/Lombardi/lib.
CVEID:CVE-2023-20863
**DESCRIPTION:**VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/252807 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) | Status |
---|---|---|
IBM Business Automation Workflow containers |
V22.0.2 - V22.0.2.IF004
V22.0.1 all fixes
V21.0.3 - V21.0.3-IF020
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes
| affected
IBM Business Automation Workflow traditional| V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3| affected
IBM Business Automation Workflow Enterprise Service Bus| V22.0.2| affected
For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT211505 as soon as practical.
Affected Product(s) | Version(s) | Remediation / Fix |
---|---|---|
IBM Business Automation Workflow containers | V22.0.2 | Apply 22.0.2-IF005 |
IBM Business Automation Workflow containers | V22.0.1 | Upgrade to Business Automation Workflow on Containers 22.0.2 and apply 22.0.2-IF005 |
IBM Business Automation Workflow containers | V21.0.3 | Apply 21.0.3-IF021 |
or upgrade to 22.0.2-IF005 or later | ||
IBM Business Automation Workflow containers | V21.0.2 | |
V20.0.0.1 - V20.0.0.2 | Upgrade to 21.0.3-IF021 | |
or upgrade to 22.0.2-IF005 or later | ||
IBM Business Automation Workflow traditional and IBM Business Automation Workflow Enterprise Service Bus | V22.0.2 | Apply DT211505 |
IBM Business Automation Workflow traditional | V21.0.3.1 | DT211505 or |
Upgrade to IBM Business Automation Workflow traditional V22.0.2 and apply DT211505 | ||
IBM Business Automation Workflow traditional | V20.0.0.2 | Apply DT211505 |
or upgrade to IBM Business Automation Workflow traditional V22.0.2 or later and apply DT211505 | ||
IBM Business Automation Workflow traditional | V22.0.1 | |
V21.0.2 | ||
V20.0.0.1 | ||
V19.0.0.3 | Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum |
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | business_automation_workflow | 22.0.2 | cpe:2.3:a:ibm:business_automation_workflow:22.0.2:*:*:*:enterprise_service_bus:*:*:* |
ibm | business_automation_workflow | 18.0.0.0 | cpe:2.3:a:ibm:business_automation_workflow:18.0.0.0:*:*:*:*:*:*:* |
ibm | business_automation_workflow | 18.0.0.1 | cpe:2.3:a:ibm:business_automation_workflow:18.0.0.1:*:*:*:*:*:*:* |
ibm | business_automation_workflow | 18.0.0.2 | cpe:2.3:a:ibm:business_automation_workflow:18.0.0.2:*:*:*:*:*:*:* |
ibm | business_automation_workflow | 19.0.0.1 | cpe:2.3:a:ibm:business_automation_workflow:19.0.0.1:*:*:*:*:*:*:* |
ibm | business_automation_workflow | 19.0.0.2 | cpe:2.3:a:ibm:business_automation_workflow:19.0.0.2:*:*:*:*:*:*:* |
ibm | business_automation_workflow | 19.0.0.3 | cpe:2.3:a:ibm:business_automation_workflow:19.0.0.3:*:*:*:*:*:*:* |
ibm | business_automation_workflow | 20.0.0.1 | cpe:2.3:a:ibm:business_automation_workflow:20.0.0.1:*:*:*:*:*:*:* |
ibm | business_automation_workflow | 20.0.0.2 | cpe:2.3:a:ibm:business_automation_workflow:20.0.0.2:*:*:*:*:*:*:* |
ibm | business_automation_workflow | 21.0.2 | cpe:2.3:a:ibm:business_automation_workflow:21.0.2:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
69.9%