Lucene search

K
ibmIBMB5C88231F2C0E52733BA703C2799F8B4FE44367E24D39CE4B51E709F3F1EDE81
HistoryOct 09, 2023 - 10:53 a.m.

Security Bulletin: Vulnerability in Python affects IBM Process Mining . CVE-2022-48566

2023-10-0910:53:43
www.ibm.com
17
python
ibm process mining
cve-2022-48566
vulnerability
sensitive information
security fixes
remediation
passportadvantage
multiplatform
windows

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

29.1%

Summary

There is a vulnerability in Python that could allow a local authenticated attacker to obtain sensitive information. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability.

Vulnerability Details

CVEID:CVE-2022-48566
**DESCRIPTION:**Python could allow a local authenticated attacker to obtain sensitive information, caused by a constant-time-defeating optimisations issue in the compare_digest function in Lib/hmac.py. By sending a specially crafted request using the accumulator variable in hmac.compare_digest, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264548 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Process Mining 1.14.1, 1.14.0, 1.13.2

Remediation/Fixes

Remediation/Fixes guidance:

Product(s) **Version(s) number and/or range ** Remediation/Fix/Instructions
IBM Process Mining

1.14.1, 1.14.0, 1.13.2

|

Upgrade to version 1.14.2

1.Login to PassPortAdvantage

2. Search for
M0FHQML
Process Mining 1.14.2 Server Multiplatform Multilingual

3. Download package

4. Follow install instructions

5. Repeat for M0FHRML Process Mining 1.14.2 Client Windows Multilingual

| |

Workarounds and Mitigations

Workarounds/Mitigation guidance:

None known

Affected configurations

Vulners
Node
ibmcloud_pak_for_automationMatch1.14.1
OR
ibmcloud_pak_for_automationMatch1.14.0
OR
ibmcloud_pak_for_automationMatch1.13.2

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

29.1%