Security Bulletin: Path traversal vulnerability affects IBM Business Automation Workflow - CVE-2022-43864

Summary

IBM Business Automation Workflow is vulnerable to a Path Traversal attack.

Vulnerability Details

CVEID:CVE-2022-43864
**DESCRIPTION:**IBM Business Automation Workflow could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239427 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

V22.0.2 - V22.0.2 all fixes
V22.0.1 - V22.0.1 all fixes
V21.0.3 - V21.0.3 all fxes
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes

| not affected
IBM Business Automation Workflow traditional | V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3 | affected
IBM Business Automation Workflow Enterprise Service Bus | V22.0.2 | affected

For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT172088 as soon as practical.

Apply DT172088
or upgrade to IBM Business Automation Workflow traditional V22.0.2 and apply DT172088

IBM Business Automation Workflow traditional | V20.0.0.2 | Apply DT172088
or upgrade to IBM Business Automation Workflow traditional V22.0.2 and apply DT172088
IBM Business Automation Workflow traditional | V22.0.1
V21.0.1 - V21.0.2
V20.0.0.1
V19.0.0.1 - V19.0.0.3
and earlier unsupported versions | Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum

Workarounds and Mitigations

None