IBM6A890FA587B259E8DEC1E63D9AB619E8AC0ACA8B3140CE256CFD98058D3AD60FSecurity Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow - CVE-2024-25710, CVE-2024-26308
8.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
6.4 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
25.9%
Summary
IBM Business Automation Workflow is vulnerable to a Denial of Service attack.
Vulnerability Details
CVEID:CVE-2024-25710
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially crafted DUMP file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283472 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2024-26308
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error. By persuading a victim to open a specially crafted Pack200 file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/283469 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) | Status |
|---|---|---|
| IBM Business Automation Workflow containers |
V23.0.2 - V23.0.2-IF004
V23.0.1 all fixes
V22.0.2 all fixes
V22.0.1 all fixes
V21.0.3 - V21.0.3-IF032
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes
| affected
IBM Business Automation Workflow traditional| V23.0.1 - V23.0.2
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3| affected
For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT378898 as soon as practical.
| Affected Product(s) | Version(s) | Remediation / Fix |
|---|---|---|
| IBM Business Automation Workflow containers | V23.0.2 | Apply 23.0.2-IF005 |
| IBM Business Automation Workflow containers | V21.0.3 | Apply 21.0.3-IF033 |
| or upgrade to 23.0.2-IF005 or later | ||
| IBM Business Automation Workflow containers | V23.0.1 | |
| V22.0.1 - V22.0.2 | ||
| V21.0.1 - V21.0.2 | ||
| V20.0.0.1 - V20.0.0.2 | Upgrade to 21.0.3-IF033 | |
| or upgrade to 23.0.2-IF005 or later | ||
| IBM Business Automation Workflow traditional and IBM Business Automation Workflow Enterprise Service Bus | V23.0.2 | Apply DT378898 |
| IBM Business Automation Workflow traditional | V21.0.3.1 | Apply DT378898 |
| IBM Business Automation Workflow traditional |
V23.0.1
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.0
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3
V18.0.0.1 - V18.0.0.3
| Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum
Workarounds and Mitigations
None
Affected configurations
Related
8.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
6.4 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
25.9%