IBM8037403E795B4AB9DD702C033A48D9B085F8F924DAF6489E8AFBB3ECB5DB8129Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow - CVE-2023-34623
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
6.9 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
26.0%
Summary
IBM Business Automation Workflow repackages parts of IBM Content Navigator attack. CVE-2023-34623 has been addressed.
Vulnerability Details
CVEID:CVE-2023-34623
**DESCRIPTION:**jtidy is vulnerable to a denial of service, caused by an out-of-bounds write error. By using a specially crafted object that uses cyclic dependencies, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258082 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) | Status |
|---|---|---|
| IBM Business Automation Workflow containers |
V23.0.1 - V23.0.1-IF003
V22.0.2 all fixes
V22.0.1 all fixes
V21.0.3 - V21.0.3-IF025
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes
| affected
IBM Business Automation Workflow traditional| V23.0.1
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3| affected
For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT257955 as soon as practical.
| Affected Product(s) | Version(s) | Remediation / Fix |
|---|---|---|
| IBM Business Automation Workflow containers | V23.0.1 - V23.0.1-IF003 |
Apply 23.0.1-IF004 or later or
upgrade to 23.0.2 latest ifix
IBM Business Automation Workflow containers| V21.0.3| Apply 21.0.3-IF026 or
upgrade to 23.0.2 latest ifix
IBM Business Automation Workflow containers| V23.0.1
V22.0.1 - V22.0.2
V21.0.1 - V21.0.2
V20.0.0.1 - V20.0.0.2| Upgrade to 21.0.3-IF026 or
upgrade to 23.0.2 latest ifix
IBM Business Automation Workflow traditional| V21.0.3.1| Apply DT257955 or update to V23.0.2
IBM Business Automation Workflow traditional|
V23.0.1
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.0
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3
V18.0.0.1 - V18.0.0.3
| Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum
Workarounds and Mitigations
None
Affected configurations
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
6.9 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
26.0%