logo
DATABASE RESOURCES PRICING ABOUT US

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for August 2023

Description

## Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.3-IF024 and 23.0.1-IF002. ## Vulnerability Details **CVEID: **[CVE-2021-33813](<https://exchange.xforce.ibmcloud.com/vulnerabilities/203804>) **DESCRIPTION: **JDOM is vulnerable to a denial of service, caused by an XXE issue in SAXBuilder. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to cause the a denial of service. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/203804](<https://exchange.xforce.ibmcloud.com/vulnerabilities/203804>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) **CVEID: **[CVE-2023-1428](<https://exchange.xforce.ibmcloud.com/vulnerabilities/258439>) **DESCRIPTION: **gRPC is vulnerable to a denial of service. By sending a specially crafted header, an attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/258439](<https://exchange.xforce.ibmcloud.com/vulnerabilities/258439>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) **CVEID: **[CVE-2023-32731](<https://exchange.xforce.ibmcloud.com/vulnerabilities/257688>) **DESCRIPTION: **gRPC could allow a remote attacker to obtain sensitive information, caused by a flaw when gRPC HTTP2 stack raised a header size exceeded error. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. CVSS Base score: 7.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/257688](<https://exchange.xforce.ibmcloud.com/vulnerabilities/257688>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H) **CVEID: **[CVE-2023-32732](<https://exchange.xforce.ibmcloud.com/vulnerabilities/257693>) **DESCRIPTION: **gRPC is vulnerable to a denial of service, caused by a base64 encoding error for "-bin" suffixed headers. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a termination of connection between a HTTP2 proxy and a gRPC server, and results in a denial of service condition. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/257693](<https://exchange.xforce.ibmcloud.com/vulnerabilities/257693>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) **CVEID: **[CVE-2023-34453](<https://exchange.xforce.ibmcloud.com/vulnerabilities/258186>) **DESCRIPTION: **snappy-java is vulnerable to a denial of service, caused by an integer overflow in the shuffle function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 5.9 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/258186](<https://exchange.xforce.ibmcloud.com/vulnerabilities/258186>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) **CVEID: **[CVE-2023-34455](<https://exchange.xforce.ibmcloud.com/vulnerabilities/258190>) **DESCRIPTION: **snappy-java is vulnerable to a denial of service, caused by the use of an unchecked chunk length in the hasNextChunk function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/258190](<https://exchange.xforce.ibmcloud.com/vulnerabilities/258190>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) **CVEID: **[CVE-2023-34454](<https://exchange.xforce.ibmcloud.com/vulnerabilities/258188>) **DESCRIPTION: **snappy-java is vulnerable to a denial of service, caused by an integer overflow in the compress function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/258188](<https://exchange.xforce.ibmcloud.com/vulnerabilities/258188>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) **CVEID: **[CVE-2023-33858](<https://exchange.xforce.ibmcloud.com/vulnerabilities/257696>) **DESCRIPTION: **IBM Business Automation Workflow is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 5.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/257696](<https://exchange.xforce.ibmcloud.com/vulnerabilities/257696>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) **CVEID: **[CVE-2023-35899](<https://exchange.xforce.ibmcloud.com/vulnerabilities/259354>) **DESCRIPTION: **IBM ICP4A - Business Automation Insights Core is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. CVSS Base score: 7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/259354](<https://exchange.xforce.ibmcloud.com/vulnerabilities/259354>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) **CVEID: **[CVE-2022-41862](<https://exchange.xforce.ibmcloud.com/vulnerabilities/248100>) **DESCRIPTION: **PostgreSQL could allow a remote attacker to obtain sensitive information, caused by a client memory disclosure flaw. By sending an unterminated string during the establishment of Kerberos transport encryption, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/248100](<https://exchange.xforce.ibmcloud.com/vulnerabilities/248100>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) **CVEID: **[CVE-2023-24815](<https://exchange.xforce.ibmcloud.com/vulnerabilities/247027>) **DESCRIPTION: **Eclipse Vert.x-Web could allow a remote attacker to obtain sensitive information, caused by a flaw when mounted on a wildcard route. By sending a specially-crafted request, an attacker could exploit this vulnerability to exfiltrate any class path resource, and use this information to launch further attacks against the affected system. CVSS Base score: 3.7 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/247027](<https://exchange.xforce.ibmcloud.com/vulnerabilities/247027>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) **CVEID: **[CVE-2022-25883](<https://exchange.xforce.ibmcloud.com/vulnerabilities/258647>) **DESCRIPTION: **Node.js semver package is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the new Range function. By providing specially crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/258647](<https://exchange.xforce.ibmcloud.com/vulnerabilities/258647>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) **CVEID: **[CVE-2023-26115](<https://exchange.xforce.ibmcloud.com/vulnerabilities/256901>) **DESCRIPTION: **Node.js word-wrap module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the result variable. By sending a specially crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/256901](<https://exchange.xforce.ibmcloud.com/vulnerabilities/256901>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) **CVEID: **[CVE-2020-8908](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192996>) **DESCRIPTION: **Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir(). By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions. CVSS Base score: 5.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192996](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192996>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) **CVEID: **[CVE-2012-5783](<https://exchange.xforce.ibmcloud.com/vulnerabilities/79984>) **DESCRIPTION: **Apache Commons HttpClient, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/79984](<https://exchange.xforce.ibmcloud.com/vulnerabilities/79984>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **CVEID: **[CVE-2020-13956](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189572>) **DESCRIPTION: **Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189572](<https://exchange.xforce.ibmcloud.com/vulnerabilities/189572>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) **CVEID: **[CVE-2017-12621](<https://exchange.xforce.ibmcloud.com/vulnerabilities/132761>) **DESCRIPTION: **Apache Commons Jelly could allow a remote attacker to bypass security restrictions, caused by improper handling of XML External Entity (XXE) entries when parsing to an XML file. By persuading a victim to open a jelly file containing a specially crafted custom doctype entity in a SYSTEM entity that contains a URL, an attacker could exploit this vulnerability to conduct XML External Entity (XXE) attacks. CVSS Base score: 6.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/132761](<https://exchange.xforce.ibmcloud.com/vulnerabilities/132761>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) **CVEID: **[CVE-2022-22976](<https://exchange.xforce.ibmcloud.com/vulnerabilities/226733>) **DESCRIPTION: **Spring Security could provide weaker than expected security, caused by an integer overflow vulnerability which results in a lack of salt rounds when using the BCrypt class with the maximum work factor. A local authenticated attacker could exploit this vulnerability to launch further attacks on the system. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/226733](<https://exchange.xforce.ibmcloud.com/vulnerabilities/226733>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N) **CVEID: **[CVE-2016-1000027](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174367>) **DESCRIPTION: **Pivota Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw in the library. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174367](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174367>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID: **[CVE-2020-7760](<https://exchange.xforce.ibmcloud.com/vulnerabilities/190938>) **DESCRIPTION: **Node.js codemirror module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By using sub-pattern (s|/*.*?*/)*, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/190938](<https://exchange.xforce.ibmcloud.com/vulnerabilities/190938>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) **CVEID: **[CVE-2015-9251](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138029>) **DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/138029](<https://exchange.xforce.ibmcloud.com/vulnerabilities/138029>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) **CVEID: **[CVE-2019-11358](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) **DESCRIPTION: **jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/159633](<https://exchange.xforce.ibmcloud.com/vulnerabilities/159633>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) **CVEID: **[CVE-2020-11022](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) **DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181349](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181349>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) **CVEID: **[CVE-2020-11023](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) **DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/181350](<https://exchange.xforce.ibmcloud.com/vulnerabilities/181350>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) **CVEID: **[CVE-2021-26291](<https://exchange.xforce.ibmcloud.com/vulnerabilities/200608>) **DESCRIPTION: **Apache Maven could allow a remote attacker to bypass security restrictions, caused by the use of http (non-SSL) repository references by default. By sending a specially-crafted request, an attacker could exploit this vulnerability to take over the repository or to insert themselves into a position to pretend to be that repository. CVSS Base score: 9.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/200608](<https://exchange.xforce.ibmcloud.com/vulnerabilities/200608>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) **IBM X-Force ID: **256137 **DESCRIPTION: **FasterXML Jackson Core is vulnerable to a denial of service, caused by improper input validation by the StreamReadConstraints value field. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3 CVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/256137 ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/256137>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) ## Affected Products and Versions Affected Product(s) | Version(s) | Status ---|---|--- IBM Cloud Pak for Business Automation | V23.0.1 - V23.0.1-IF001 | affected IBM Cloud Pak for Business Automation | V21.0.3 - V21.0.3-IF023 | affected IBM Cloud Pak for Business Automation | V22.0.2 - V22.0.2-IF006 and later fixes V22.0.1 - V22.0.1-IF006 and later fixes V21.0.2 - V21.0.2-IF012 and later fixes V21.0.1 - V21.0.1-IF007 and later fixes V20.0.1 - V20.0.3 and later fixes V19.0.1 - V19.0.3 and later fixes V18.0.0 - V18.0.2 and later fixes | affected ## Remediation/Fixes Any open source library may be included in one or more sub-components of IBM Cloud Pak for Business Automation. Open source updates are not always synchronized across all components. The CVE in this bulletin are specifically addressed by CVE ID | Addressed in component ---|--- CVE-2012-5783 | Automation Decision Services CVE-2015-9251 | Automation Decision Services CVE-2016-1000027 | Automation Decision Services CVE-2017-12621 | Automation Decision Services CVE-2019-11358 | Automation Decision Services CVE-2020-11022 | Automation Decision Services CVE-2020-11023 | Automation Decision Services CVE-2020-13956 | Automation Decision Services CVE-2020-7760 | Automation Decision Services CVE-2020-8908 | Automation Decision Services CVE-2021-26291 | Automation Decision Services CVE-2021-33813 | Business Automation Workflow, Business Automation Studio CVE-2022-22976 | Automation Decision Services CVE-2022-25883 | Business Automation Application CVE-2022-41862 | Operational Decision Manager CVE-2023-1428 | Automation Decision Services CVE-2023-24815 | Automation Decision Services CVE-2023-26115 | Business Automation Application CVE-2023-32731 | Automation Decision Services CVE-2023-32732 | Automation Decision Services CVE-2023-33858 | Business Automation Workflow, Business Automation Studio CVE-2023-34453 | Business Automation Workflow, Business Automation Studio CVE-2023-34454 | Business Automation Workflow, Business Automation Studio CVE-2023-34455 | Business Automation Workflow, Business Automation Studio CVE-2023-35899 | Business Automation Insights PRISMA-2023-0067 | Business Automation Insights Affected Product(s) | Version(s) | Remediation / Fix ---|---|--- IBM Cloud Pak for Business Automation | V23.0.1 - V23.0.1-IF001 | Apply security fix [23.0.1-IF002](<https://www.ibm.com/support/pages/node/7025263> "23.0.1-IF002" ) IBM Cloud Pak for Business Automation | V22.0.2 - V22.0.2-IF005 | Apply security fix [23.0.1-IF002](<https://www.ibm.com/support/pages/node/7025263> "23.0.1-IF002" ) IBM Cloud Pak for Business Automation | V21.0.3 - V21.0.3-IF023 | Apply security fix [21.0.3-IF024](<https://www.ibm.com/support/pages/node/7017500> "21.0.3-IF024" ) or upgrade to [23.0.1-IF002](<https://www.ibm.com/support/pages/node/7025263> "23.0.1-IF002" ) IBM Cloud Pak for Business Automation | V21.0.1 - V21.0.1-IF008 V20.0.1 - V20.0.3 V19.0.1 - V19.0.3 V18.0.0 - V18.0.2 | Upgrade to [21.0.3-IF024](<https://www.ibm.com/support/pages/node/7017500> "21.0.3-IF024" ) or [23.0.1-IF002](<https://www.ibm.com/support/pages/node/7025263> "23.0.1-IF002" ) ## Workarounds and Mitigations None ##


Affected Software


CPE Name Name Version
ibm cloud pak for automation 18.0.0
ibm cloud pak for automation 18.0.1
ibm cloud pak for automation 18.0.2
ibm cloud pak for automation 19.0.1
ibm cloud pak for automation 19.0.2
ibm cloud pak for automation 19.0.3
ibm cloud pak for automation 20.0.1
ibm cloud pak for automation 20.0.2
ibm cloud pak for automation 20.0.3
ibm cloud pak for automation 21.0.1
ibm cloud pak for automation 21.0.2
ibm cloud pak for automation 21.0.3
ibm cloud pak for automation 22.0.1
ibm cloud pak for automation 22.0.2
ibm cloud pak for business automation 18.0.0
ibm cloud pak for business automation 18.0.1
ibm cloud pak for business automation 18.0.2
ibm cloud pak for business automation 19.0.1
ibm cloud pak for business automation 19.0.2
ibm cloud pak for business automation 19.0.3
ibm cloud pak for business automation 20.0.1
ibm cloud pak for business automation 20.0.2
ibm cloud pak for business automation 20.0.3
ibm cloud pak for business automation 21.0.1
ibm cloud pak for business automation 21.0.2
ibm cloud pak for business automation 21.0.3
ibm cloud pak for business automation 22.0.1
ibm cloud pak for business automation 22.0.2

Related