Security Bulletin: Vulnerability in Python affects IBM Process Mining . CVE-2022-48566

Summary

There is a vulnerability in Python that could allow a local authenticated attacker to obtain sensitive information. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability.

Vulnerability Details

CVEID:CVE-2022-48566
**DESCRIPTION:**Python could allow a local authenticated attacker to obtain sensitive information, caused by a constant-time-defeating optimisations issue in the compare_digest function in Lib/hmac.py. By sending a specially crafted request using the accumulator variable in hmac.compare_digest, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264548 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

Remediation/Fixes guidance:

1.14.1, 1.14.0, 1.13.2

|

Upgrade to version 1.14.2

1.Login to PassPortAdvantage

2. Search for
M0FHQML
Process Mining 1.14.2 Server Multiplatform Multilingual

3. Download package

4. Follow install instructions

5. Repeat for M0FHRML Process Mining 1.14.2 Client Windows Multilingual

| |

Workarounds and Mitigations

Workarounds/Mitigation guidance:

None known