Lucene search

K
ibmIBM9C30C1CE4CE0511085067EE9D22A73F9AA3758CB6041B1A699A109E3F60906D3
HistoryJan 30, 2023 - 3:06 p.m.

Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to minimatch CVE-2022-3517

2023-01-3015:06:37
www.ibm.com
27
ibm cloud pak for integration
vulnerability
denial of service
minimatch cve-2022-3517
remediation
upgrade
automation assets

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

55.2%

Summary

Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to minimatch CVE-2022-3517 with details below.

Vulnerability Details

CVEID:CVE-2022-3517
**DESCRIPTION:**minimatch is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the braceExpand function. By sending specially-crafted regex arguments, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238615 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
Automation Assets in IBM Cloud Pak for Integration (CP4I) 2020.4.1
2021.1.1
2021.2.1
2021.4.1
2022.2.1

Remediation/Fixes

Automation Assets version 2020.4.1, 2021.1, 2021.2,** 2021.4, or 2022.2 in IBM Cloud Pak for Integration**

Upgrade Automation Assets Operator to 2022.2.1-4 using the Operator upgrade process described in the IBM Documentation

<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.2?topic=capabilities-upgrading-automation-assets&gt;

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmcloud_pak_for_automationMatch2020.4.12021.1.12021.2.12021.4.12022.2.1
VendorProductVersionCPE
ibmcloud_pak_for_automation2020.4.12021.1.12021.2.12021.4.12022.2.1cpe:2.3:a:ibm:cloud_pak_for_automation:2020.4.12021.1.12021.2.12021.4.12022.2.1:*:*:*:*:*:*:*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

55.2%