IBM998204E259EEB5C5575FD9988C15186D2DFA2A634EB4A66694471B0085BF1BC2Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining Interim Fix for Sept 2024
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
AI Score
Confidence
High
Summary
In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Process Mining 1.15.0 IF002
Vulnerability Details
CVEID:CVE-2024-22262
**DESCRIPTION:**VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in UriComponentsBuilder. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287586 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)
CVEID:CVE-2022-33068
**DESCRIPTION:**HarfBuzz is vulnerable to an integer overflow in the component hb-ot-shape-fallback.cc. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229559 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-45289
**DESCRIPTION:**Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw when following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive headers information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285338 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2023-45290
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw when parsing a multipart form in the net/textproto package. By sending a specially crafted input, a remote attacker could exploit this vulnerability to allocate arbitrarily large amounts of memory, and results in a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285339 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2024-21131
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low integrity impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298464 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2024-21138
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause a low availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298465 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2024-21140
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low confidentiality, low integrity impacts.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298466 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:CVE-2024-21145
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the 2D component could allow a remote attacker to cause low confidentiality, low integrity impacts.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298467 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:CVE-2024-21147
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality, high integrity impacts.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298469 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID:CVE-2024-24783
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw in the crypto/x509 package when verifying a certificate chain. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause Certificate.Verify to panic, and results in a denial of service condition.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285303 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2024-24784
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw in the crypto/x509 package when verifying a certificate chain. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause Certificate.Verify to panic, and results in a denial of service condition.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285304 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
CVEID:CVE-2024-24785
**DESCRIPTION:**Golang Go could allow a remote attacker to bypass security restrictions, caused by a flaw in the MarshalJSON methods in the html/template package. By sending a specially crafted request, an attacker could exploit this vulnerability to inject unexpected content into templates.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285305 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2024-35235
**DESCRIPTION:**OpenPrinting CUPS could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw when starting the cupsd server with a Listen configuration item pointing to a symbolic link. An authenticated attacker could exploit this vulnerability to change permission of any user or system files to be world writable and execute arbitrary commands.
CVSS Base score: 6.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/294443 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2024-39689
**DESCRIPTION:**Certifi python-certifi could provide weaker than expected security, caused by the use of GLOBALTRUST root certificate. An attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/297375 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID:CVE-2024-29025
**DESCRIPTION:**Netty is vulnerable to a denial of service, caused by a flaw when using the HttpPostRequestDecoder to decode a form. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286403 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2023-44487
**DESCRIPTION:**Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. By sending numerous HTTP/2 requests and RST_STREAM frames over multiple streams, a remote attacker could exploit this vulnerability to cause a denial of service due to server resource consumption.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268044 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Process Mining | All |
Remediation/Fixes
Any open source library may be included in one or more sub-components of IBM Process Mining. Open source updates are not always synchronized across all components. The CVE in this bulletin are specifically addressed by
Product(s)
| Version(s) number and/or range| Remediation/Fix/Instructions
—|—|—
IBM Process Mining|
1.15.0 IF001
|
**Upgrade to version 1.15.0 IF002 **<https://www.ibm.com/support/pages/node/7167096>
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | robotic_process_automation_as_a_service | 1.15.0 | cpe:2.3:a:ibm:robotic_process_automation_as_a_service:1.15.0:*:*:*:*:*:*:* |
| ibm | robotic_process_automation_as_a_service | 001 | cpe:2.3:a:ibm:robotic_process_automation_as_a_service:001:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
AI Score
Confidence
High