Lucene search

IBMD4BB61905E74501D24C3DA7E12A0C9B055075DE70ECF6A003ECD1A4215C0B608

HistoryJun 03, 2024 - 11:26 a.m.

Security Bulletin: Vulnerability in jjwt may affect IBM Business Automation Workflow - CVE-2024-31033

2024-06-0311:26:11

www.ibm.com

ibm business automation workflow

vulnerability

jjwt

cve-2024-31033

cvss

containers

traditional

enterprise service bus

interim fix

cumulative fix

apar dt378426

upgrade

supported version

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

AI Score

Confidence

High

EPSS

Percentile

15.5%

JSON

Summary

IBM Business Automation Workflow packages a vulnerable copy of jjwt.

Vulnerability Details

CVEID:CVE-2024-31033
**DESCRIPTION:**An unspecified error with ignoring certain characters in jwtk JJWT (aka Java JWT) has an unknown impact and attack vector.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286924 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)	Status
IBM Business Automation Workflow containers

V23.0.2 - V23.0.2-IF004
V23.0.1 all fixes
V22.0.2 all fixes
V22.0.1 all fixes
V21.0.3 - V21.0.3-IF032
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes

| affected
IBM Business Automation Workflow traditional| V23.0.1 - V23.0.2
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3| affected
IBM Business Automation Workflow Enterprise Service Bus| V23.0.1 - V23.0.2
V22.0.2| affected

For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT378426 as soon as practical.

Affected Product(s)	Version(s)	Remediation / Fix
IBM Business Automation Workflow containers	V23.0.2	Apply 23.0.2-IF005
IBM Business Automation Workflow containers	V21.0.3	Apply 21.0.3-IF033
or upgrade to 23.0.2-IF005 or later
IBM Business Automation Workflow containers	V23.0.1
V22.0.1 - V22.0.2
V21.0.1 - V21.0.2
V20.0.0.1 - V20.0.0.2	Upgrade to 21.0.3-IF033
or upgrade to 23.0.2-IF005 or later
IBM Business Automation Workflow traditional and IBM Business Automation Workflow Enterprise Service Bus	V23.0.2	Apply DT378426
IBM Business Automation Workflow traditional	V21.0.3.1	Apply DT378426
IBM Business Automation Workflow traditional

V23.0.1
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.0
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3
V18.0.0.1 - V18.0.0.3

| Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmbusiness_automation_workflowMatch22.0.2enterprise_service_bus

ibmbusiness_automation_workflowMatch23.0.1enterprise_service_bus

ibmbusiness_automation_workflowMatch23.0.2enterprise_service_bus

ibmbusiness_automation_workflowMatch18.0.0.0

ibmbusiness_automation_workflowMatch18.0.0.1

ibmbusiness_automation_workflowMatch18.0.0.2

ibmbusiness_automation_workflowMatch19.0.0.1

ibmbusiness_automation_workflowMatch19.0.0.2

ibmbusiness_automation_workflowMatch19.0.0.3

ibmbusiness_automation_workflowMatch20.0.0.1

ibmbusiness_automation_workflowMatch20.0.0.2

ibmbusiness_automation_workflowMatch21.0.2

ibmbusiness_automation_workflowMatch21.0.3

ibmbusiness_automation_workflowMatch22.0.1

ibmbusiness_automation_workflowMatch22.0.2

ibmbusiness_automation_workflowMatch23.0.1

ibmbusiness_automation_workflowMatch23.0.2

VendorProductVersionCPE
ibmbusiness_automation_workflow22.0.2cpe:2.3:a:ibm:business_automation_workflow:22.0.2:*:*:*:enterprise_service_bus:*:*:*
ibmbusiness_automation_workflow23.0.1cpe:2.3:a:ibm:business_automation_workflow:23.0.1:*:*:*:enterprise_service_bus:*:*:*
ibmbusiness_automation_workflow23.0.2cpe:2.3:a:ibm:business_automation_workflow:23.0.2:*:*:*:enterprise_service_bus:*:*:*
ibmbusiness_automation_workflow18.0.0.0cpe:2.3:a:ibm:business_automation_workflow:18.0.0.0:*:*:*:*:*:*:*
ibmbusiness_automation_workflow18.0.0.1cpe:2.3:a:ibm:business_automation_workflow:18.0.0.1:*:*:*:*:*:*:*
ibmbusiness_automation_workflow18.0.0.2cpe:2.3:a:ibm:business_automation_workflow:18.0.0.2:*:*:*:*:*:*:*
ibmbusiness_automation_workflow19.0.0.1cpe:2.3:a:ibm:business_automation_workflow:19.0.0.1:*:*:*:*:*:*:*
ibmbusiness_automation_workflow19.0.0.2cpe:2.3:a:ibm:business_automation_workflow:19.0.0.2:*:*:*:*:*:*:*
ibmbusiness_automation_workflow19.0.0.3cpe:2.3:a:ibm:business_automation_workflow:19.0.0.3:*:*:*:*:*:*:*
ibmbusiness_automation_workflow20.0.0.1cpe:2.3:a:ibm:business_automation_workflow:20.0.0.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	business_automation_workflow	22.0.2	cpe:2.3:a:ibm:business_automation_workflow:22.0.2::::enterprise_service_bus:::
ibm	business_automation_workflow	23.0.1	cpe:2.3:a:ibm:business_automation_workflow:23.0.1::::enterprise_service_bus:::
ibm	business_automation_workflow	23.0.2	cpe:2.3:a:ibm:business_automation_workflow:23.0.2::::enterprise_service_bus:::
ibm	business_automation_workflow	18.0.0.0	cpe:2.3:a:ibm:business_automation_workflow:18.0.0.0:::::::*
ibm	business_automation_workflow	18.0.0.1	cpe:2.3:a:ibm:business_automation_workflow:18.0.0.1:::::::*
ibm	business_automation_workflow	18.0.0.2	cpe:2.3:a:ibm:business_automation_workflow:18.0.0.2:::::::*
ibm	business_automation_workflow	19.0.0.1	cpe:2.3:a:ibm:business_automation_workflow:19.0.0.1:::::::*
ibm	business_automation_workflow	19.0.0.2	cpe:2.3:a:ibm:business_automation_workflow:19.0.0.2:::::::*
ibm	business_automation_workflow	19.0.0.3	cpe:2.3:a:ibm:business_automation_workflow:19.0.0.3:::::::*
ibm	business_automation_workflow	20.0.0.1	cpe:2.3:a:ibm:business_automation_workflow:20.0.0.1:::::::*