Security Bulletin: IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps is vulnerable to information disclosure and weaker security (CVE-2022-43901, CVE-2022-43900)

Summary

IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps could disclose sensitive information and contain weaker than expected security. This has been addressed.

Vulnerability Details

CVEID:CVE-2022-43901
**DESCRIPTION:**IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps could disclose sensitive information. An authenticated local attacker could exploit this vulnerability to possibly gain information to other IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps components.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240829 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-43900
**DESCRIPTION:**IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps could provide a weaker than expected security. A local attacker can create an outbound network connection to another system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240827 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

These vulnerabilities affect all versions of IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps up to and including 1.4.2.

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading to 1.4.3 or higher.

Follow https://www.ibm.com/docs/en/ws-automation?topic=installing-validating-installation to confirm the WebSphere Automation operator version.

Follow <https://www.ibm.com/docs/en/ws-automation?topic=installing-updating-websphere-automation&gt; to update the WebSphere Automation operator installation.

Workarounds and Mitigations

None