Lucene search

K
ibmIBMAAD621C32AA57CF76768C1F915C3FA0491DC2353F91AC593F367BB8256133C98
HistoryDec 07, 2022 - 6:55 a.m.

Security Bulletin: Multiple security vulnerabilities in IBM Business Automation Workflow Event Emitters

2022-12-0706:55:48
www.ibm.com
12

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.003 Low

EPSS

Percentile

71.7%

Summary

IBM Business Automation Workflow event emitters for IBM Business Automation Insights package open source libraries with known vulnerabilities.

Vulnerability Details

CVEID:CVE-2022-25857
**DESCRIPTION:**Java package org.yaml:snakeyam is vulnerable to a denial of service, caused by missing to nested depth limitation for collections. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/234864 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-38751
**DESCRIPTION:**SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235311 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-38749
**DESCRIPTION:**SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235313 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-38752
**DESCRIPTION:**SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235310 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-38750
**DESCRIPTION:**SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235312 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-42003
**DESCRIPTION:**FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in the primitive value deserializers when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. By sending a specially-crafted request using deep wrapper array nesting, a local attacker could exploit this vulnerability to exhaust all available resources.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237662 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-42004
**DESCRIPTION:**FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in in the BeanDeserializer._deserializeFromArray function. By sending a specially-crafted request using deeply nested arrays, a local attacker could exploit this vulnerability to exhaust all available resources.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237660 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s) Status
IBM Business Automation Workflow containers V22.0.1 - V22.0.1-IF004
V21.0.3 - V21.0.3-IF014
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes affected
IBM Business Automation Workflow traditional V22.0.1
V21.0.1 - V21.0.3
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3
V18.0.0.0 - V18.0.0.2 affected

For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT170126 as soon as practical.

Affected Product(s) Version(s) Remediation / Fix
IBM Business Automation Workflow containers V22.0.1 Apply 22.0.1-IF005
IBM Business Automation Workflow containers V21.0.3 Apply 21.0.3-IF015
or upgrade to 22.0.1-IF005 or later
IBM Business Automation Workflow containers V21.0.2
V20.0.0.1 - V20.0.0.2 Upgrade to 21.0.3-IF015
or upgrade to 22.0.1-IF005 or later
IBM Business Automation Workflow traditional V22.0.1 Apply DT170126
IBM Business Automation Workflow traditional V21.0.3 Apply DT170126
or upgrade to IBM Business Automation Workflow 22.0.1 or later
IBM Business Automation Workflow traditional V21.0.2 Upgrade to IBM Business Automation Workflow 21.0.3 and apply DT170126
or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT170126
IBM Business Automation Workflow traditional V20.0.0.2 Apply DT170126
or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT170126
IBM Business Automation Workflow traditional V20.0.0.1 Upgrade to IBM Business Automation Workflow v20.0.0.2 and apply DT170126
or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT170126
IBM Business Automation Workflow traditional V19.0.0.3 Apply DT170126
or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT170126

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmbusiness_automation_workflowMatch18.0.0.0
OR
ibmbusiness_automation_workflowMatch18.0.0.1
OR
ibmbusiness_automation_workflowMatch18.0.0.2
OR
ibmbusiness_automation_workflowMatch19.0.0.1
OR
ibmbusiness_automation_workflowMatch19.0.0.2
OR
ibmbusiness_automation_workflowMatch19.0.0.3
OR
ibmbusiness_automation_workflowMatch20.0.0.1
OR
ibmbusiness_automation_workflowMatch20.0.0.2
OR
ibmbusiness_automation_workflowMatch21.0.2
OR
ibmbusiness_automation_workflowMatch21.0.3
OR
ibmbusiness_automation_workflowMatch22.0.1

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.003 Low

EPSS

Percentile

71.7%