Security Bulletin: Multiple security vulnerabilities affect IBM Robotic Process Automation for Cloud Pak.

Summary

XZ is used by IBM Robotic Process Automation for Cloud Pak as part of base container images, Watson NLP and WebSphere Liberty. (CVE-2020-22916). File is used by IBM Robotic Process Automation for Cloud Pak as part of the base container images, Watson NLP and WebSphere Liberty. (CVE-2022-48554). GNU gdb is used by IBM Robotic Process Automation for Cloud Pak as part of the base container images and WebSphere Liberty. (CVE-2023-39128, CVE-2023-39130).

Vulnerability Details

CVEID:CVE-2020-22916
**DESCRIPTION:**XZ is vulnerable to a denial of service, caused by a flaw in the decompression algorithm when processing archive files. By persuading a victim to decompress a specially crafted file, a remote attacker could exploit this vulnerability to conduct a decompression bomb attack, resulting a denial of service. Note: the vendor disputes this vulnerability, as the decompression of 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266535 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-48554
**DESCRIPTION:**File is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the file_copystr function in funcs.c. By persuading a victim to open a specially crafted file, a remote attacker could overflow a buffer and execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264341 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-39128
**DESCRIPTION:**GNU gdb is vulnerable to a denial of service, caused by a stack-based buffer overflow in the ada_decode function in /gdb/ada-lang.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261648 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-39130
**DESCRIPTION:**GNU gdb is vulnerable to a denial of service, caused by a heap-based buffer overflow in the pe_as16 function in /gdb/coff-pe-read.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261650 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

IBM Robotic Process Automation for Cloud Pak

| 23.0.0 - 23.0.10| Update to 23.0.11 or higher using the following instructions.

Workarounds and Mitigations

None.