IBMA74CB77F8B7B9AF5086FA8EC991C2DD10264330490461C12ACC45C1F04DA4885Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow - CVE-2023-50959
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
9.2 High
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
19.0%
Summary
IBM Business Automation Workflow is vulnerable to an information disclosure attack.
Vulnerability Details
CVEID:CVE-2023-50959
**DESCRIPTION:**IBM Business Automation Workflow may allow end users to query more documents than expected from a connected Enterprise Content Management system when configured to use a system account.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275938 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) | Status |
|---|---|---|
| IBM Business Automation Workflow containers |
V23.0.2 - V23.0.2-IF002
V23.0.1 all fixes
V22.0.2 all fixes
V22.0.1 all fixes
V21.0.3 - V21.0.3-IF030
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes
| affected
IBM Business Automation Workflow traditional| V23.0.1 - V23.0.2
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3| affected
For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT247523 as soon as practical.
| Affected Product(s) | Version(s) | Remediation / Fix |
|---|---|---|
| IBM Business Automation Workflow containers | V23.0.2 | Apply 23.0.2-IF003 |
| IBM Business Automation Workflow containers | V21.0.3 | Apply 21.0.3-IF031 |
| or upgrade to 23.0.2-IF003 or later | ||
| IBM Business Automation Workflow containers | V23.0.1 | |
| V22.0.1 - V22.0.2 | ||
| V21.0.1 - V21.0.2 | ||
| V20.0.0.1 - V20.0.0.2 | Upgrade to 21.0.3-IF031 | |
| or upgrade to 23.0.2-IF003 or later | ||
| IBM Business Automation Workflow traditional and IBM Business Automation Workflow Enterprise Service Bus | V23.0.2 | Apply DT247523 |
| IBM Business Automation Workflow traditional | V21.0.3.1 | Apply DT247523 |
| IBM Business Automation Workflow traditional |
V23.0.1
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.0
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3
V18.0.0.1 - V18.0.0.3
| Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum
The fix introduces a new concept of a “ECM Document Query Authorization Service”, comparable to the existing concept of “ECM Document Authorization Service” (see related information below). By implementing this service, your own code can pre-process CMIS queries sent from a client (like a Client Side Human Service) before they are forwarded to an external ECM system. The service implementation is mandatory for external ECM server definitions that have the “Always Use This Connection Information” checkbox checked, that is, when using a system account independent of the current end user. The requirement for an “ECM Document Query Authorization Service” can be globally disabled via configuration to allow a transition period when adding such services to your process apps.
Workarounds and Mitigations
None
Affected configurations
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
9.2 High
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
19.0%