Security Bulletin: Multiple security vulnerabilities affect IBM Robotic Process Automation for Cloud Pak.

Summary

Unbound is used by IBM Robotic Process Automation for Cloud Pak as part of antivirus functionality. (CVE-2019-25033). ISC BIND is used by IBM Robotic Process Automation for Cloud Pak as part of Watson NLP. ( CVE-2022-3094). GNU Binutils is used by IBM Robotic Process Automation for Cloud Pak as part of WebSphere Liberty. (CVE-2022-35205, CVE-2022-35206). protobuf-c is used by IBM Robotic Process Automation for Cloud Pak as part of antivirus functionality. (CVE-2022-48468). tpm2-tss is used by IBM Robotic Process Automation for Cloud Pak as part of WebSphere Liberty. (CVE-2023-22745). Microsoft .NET Framework is used by IBM Robotic Process Automation for Cloud Pak as part of the .NET Runtime environment. (CVE-2023-36049). Microsoft ASP.NET is used by IBM Robotic Process Automation for Cloud Pak as part of the .NET Runtime environement. (CVE-2023-36558). This bulletin identifies the steps to take to address the vulnerabilities.

Vulnerability Details

CVEID:CVE-2019-25033
**DESCRIPTION:**Unbound could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the regional allocator. By using the ALIGN_UP macro, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/200872 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-3094
**DESCRIPTION:**ISC BIND is vulnerable to a denial of service, caused by the allocation of memory prior to the checking of access permissions (ACLs). By sending an UPDATE message flood, a remote attacker could exploit this vulnerability to cause named to exhaust all available memory.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/245430 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-35205
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by a reachable assertion failure in function display_debug_names. By using a specially crafted file, a local attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264302 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-35206
**DESCRIPTION:**GNU Binutils is vulnerable to a denial of service, caused by a NULL pointer dereference vulnerability in function read_and_display_attr_value in file dwarf.c. By using a specially crafted file, a local attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264303 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-48468
**DESCRIPTION:**An unsigned integer overflow in parse_required_member in protobuf-c has an unknown impact and attack vector.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253266 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2023-22745
**DESCRIPTION:**tpm2-tss is vulnerable to a buffer overflow, caused by improper bounds checking by the Tss2_RC_SetHandler and Tss2_RC_Decode function. By sending a specially-crafted request, a local authenticated attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/245269 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-36049
**DESCRIPTION:**Microsoft .NET, .NET Framework and Visual Studio could allow a remote authenticated attacker to gain elevated privileges on the system. By injecting arbitrary commands in the FTP server, an attacker could exploit this vulnerability to escalate privileges.
CVSS Base score: 7.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270963 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L)

CVEID:CVE-2023-36558
**DESCRIPTION:**Microsoft ASP.NET could allow a local attacker to bypass security restriction. An attacker could exploit this vulnerability to bypass validations on Blazor Server forms.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270918 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

IBM Robotic Process Automation for Cloud Pak

| 23.0.0 - 23.0.12| Update to 23.0.13 or higher using the following instructions.

Workarounds and Mitigations

None.