Security Bulletin: Multiple vulnerabilities in IBM SDK for Node.js and packaged modules affect IBM Business Automation Workflow Configuration Editor

Summary

IBM Business Automation Workflow Configuration Editor is vulnerable to multiple attacks.

Vulnerability Details

CVEID:CVE-2023-32005
**DESCRIPTION:*Node.js could allow a remote attacker to obtain sensitive information, caused by the failure to restrict file stats through the fs.statfs API in the permission model. By using the --allow-fs-read flag with a non- argument, an attacker could exploit this vulnerability to retrieve stats from files that they do not have explicit read access to.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262903 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2023-32006
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by the use of module.constructor.createRequire(). By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the permission policy mechanism.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262901 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-32003
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by a missing getValidatedPath() check in the fs.mkdtemp() and fs.mkdtempSync() APIs. By using a path traversal attack, an attacker could exploit this vulnerability to bypass the permission model check and create an arbitrary directory.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262904 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-32558
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by the use of the deprecated API process.binding(). By using a path traversal sequence, an attacker could exploit this vulnerability to bypass the permission model.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262900 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-32559
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by the use of the deprecated API process.binding(). By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the permission policy mechanism.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262902 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-32002
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by the use of Module._load(). By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the permission policy mechanism.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262896 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-32004
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by the improper handling of Buffers in file system APIs within the experimental permission model. By specifying a path traversal sequence in a Buffer, an attacker could exploit this vulnerability to cause a path traversal bypass when verifying file permissions.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262899 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-30581
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by the use of proto in process.mainModule.proto.require(). By sending a specially crafted request, an attacker could exploit this vulnerability to bypass experimental policy mechanism.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258615 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-30585
**DESCRIPTION:**Node.js could allow a remote attacker to gain elevated privileges on the system, caused by an error in the installation process during the repair operation, where the “msiexec.exe” process attempts to read the %USERPROFILE% environment variable from the current user’s registry. An attacker could exploit this vulnerability to create folders in unintended and potentially malicious locations.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258621 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-30589
**DESCRIPTION:**Node.js is vulnerable to HTTP request smuggling, caused by the failure to strictly use the CRLF sequence to delimit HTTP requests by the llhttp parser in the http module. By sending specially crafted HTTP request headers, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258624 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-30590
**DESCRIPTION:**Node.js could provide weaker than expected security, caused by the failure to generate keys after setting a private key by the generateKeys() API function. By sending a specially crafted request, an attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258625 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-30582
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by the failure to restrict file watching through the fs.watchFile API. By sending a specially crafted request, an attacker could exploit this vulnerability to monitor restricted files.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258619 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-30586
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by an error in the crypto.setEngine() API when called with a compatible OpenSSL engine. By manipulating the process’s stack memory to locate the permission model Permission::enabled_ in the host process’s heap memory, an attacker could exploit this vulnerability to bypass the permission model.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258622 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-30587
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions. By exploiting the Worker class’s ability to create an “internal worker” with the kIsInternal Symbol, an attacker could exploit this vulnerability to modify the isInternal value when an inspector is attached within the Worker constructor before initializing a new WorkerImpl.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258618 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-30583
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by a missing check in the fs.openAsBlob() API. By using the file system read restriction with the --allow-fs-read flag, an attacker could exploit this vulnerability to bypass the experimental permission model.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258620 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-30584
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by a path traversal bypass when verifying file permissions. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the experimental permission model.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258617 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-30588
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by invalid public key information in x509 certificates. By accessing public key info of provided certificates from user code, an attacker could exploit this vulnerability to force interruptions of application processing and cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258623 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

V22.0.2 all fixes
V22.0.1 - V22.0.1 all fixes
V21.0.3 - V21.0.3 all fixes
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes

| not affected
IBM Business Automation Workflow traditional| V23.0.1
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3| affected
IBM Business Automation Workflow Enterprise Service Bus| V23.0.1
V22.0.2| affected

For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT223906 as soon as practical.

Workarounds and Mitigations

Use a regular text editor for working with BAW configuration files.