Lucene search

K
ibmIBM87AB1B64368186A61A05AB33FE319B3EB242F6275FF41746532E3618EAC451B3
HistoryMar 20, 2023 - 9:47 p.m.

Security Bulletin: A vulnerability in protobuf may affect IBM Robotic Process Automation and result in a denial of service (CVE-2022-1941)

2023-03-2021:47:32
www.ibm.com
25

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

55.3%

Summary

There is a vulnerability in protobuf used by IBM Robotic Process Automation as part of speech and NLP processing which may result in a denial of service. This bulletin identifies the security fixes to apply to address this vulnerability.

Vulnerability Details

CVEID:CVE-2022-1941
**DESCRIPTION:**protobuf is vulnerable to a denial of service, caused by a parsing vulnerability for the MessageSet type in the ProtocolBuffers. By sending a specially crafted message with multiple key-value per elements, a remote attacker could exploit this vulnerability to cause a crash.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237081 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Robotic Process Automation for Cloud Pak 21.0.1-21.0.7.2, 23.0.0-23.0.1
IBM Robotic Process Automation < 21.0.7.3

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product(s) **Version(s) number and/or range ** Remediation/Fix/Instructions
IBM Robotic Process Automation < 21.0.7.3 Download 21.0.7.3 or higher, and follow instructions.
IBM Robotic Process Automation 23.0.0 - 23.0.1 Download 23.0.2 or higher, and follow instructions.
IBM Robotic Process Automation for Cloud Pak 21.0.1 - 21.0.7.2 Update to 21.0.7.3 or higher using the following instructions.
IBM Robotic Process Automation for Cloud Pak 23.0.0 - 23.0.1 Update to 23.0.2 or higher using the following instructions.

Workarounds and Mitigations

None

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

55.3%