Lucene search

IBM8C84EC108F7C5BA89EA0E54A93BDDCA8E4CF9052097C5BE94392EF4294499E4B

HistoryOct 09, 2023 - 10:55 a.m.

Security Bulletin: Vulnerability in iText affects IBM Process Mining . CVE-2022-24196

2023-10-0910:55:01

www.ibm.com

itext

ibm process mining

pdf files

denial of service

cve-2022-24196

vulnerability

remote attacker

security fixes

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

0.002 Low

EPSS

Percentile

54.0%

JSON

Summary

There is a vulnerability in iText that could allow a remote attacker to execute a denial of service. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability.

Vulnerability Details

CVEID:CVE-2022-24196
**DESCRIPTION:**iText is vulnerable to a denial of service, caused by an out-of-memory error when parsing PDF files in the readStreamBytesRaw component. By persuading a victim to open a specially-crafted PDF file, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/218651 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Process Mining

1.14.1, 1.14.0, 1.13.2, 1.13.1, 1.13.0, 1.12.0.5, 1.12.0.4

Remediation/Fixes

Remediation/Fixes guidance:

Product(s)	Version(s) number and/or range	Remediation/Fix/Instructions
IBM Process Mining

1.14.1,

1.14.0, 1.13.2, 1.13.1, 1.13.0, 1.12.0.5, 1.12.0.4

Upgrade to version 1.14.2

1.Login to PassPortAdvantage

2. Search for
M0FHQML
Process Mining 1.14.2 Server Multiplatform Multilingual

3. Download package

4. Follow install instructions

5. Repeat for M0FHRML Process Mining 1.14.2 Client Windows Multilingual

| |

Workarounds and Mitigations

Workarounds/Mitigation guidance:

None known

Affected configurations

Vulners

Node

ibmcloud_pak_for_automationMatch1.14.1

ibmcloud_pak_for_automationMatch1.14.0

ibmcloud_pak_for_automationMatch1.13.2

ibmcloud_pak_for_automationMatch1.13.1

ibmcloud_pak_for_automationMatch1.13.0

ibmcloud_pak_for_automationMatch1.12.0.5

ibmcloud_pak_for_automationMatch1.12.0.4

CPENameOperatorVersion
ibm cloud pak for automationeq1.14.1
ibm cloud pak for automationeq1.14.0
ibm cloud pak for automationeq1.13.2
ibm cloud pak for automationeq1.13.1
ibm cloud pak for automationeq1.13.0
ibm cloud pak for automationeq1.12.0.5
ibm cloud pak for automationeq1.12.0.4

Name	Operator	Version
ibm cloud pak for automation	eq	1.14.1
ibm cloud pak for automation	eq	1.14.0
ibm cloud pak for automation	eq	1.13.2
ibm cloud pak for automation	eq	1.13.1
ibm cloud pak for automation	eq	1.13.0
ibm cloud pak for automation	eq	1.12.0.5
ibm cloud pak for automation	eq	1.12.0.4

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

0.002 Low

EPSS

Percentile

54.0%

JSON

Related for 8C84EC108F7C5BA89EA0E54A93BDDCA8E4CF9052097C5BE94392EF4294499E4B