3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
Microsoft SQL Server Express 2014 is shipped with IBM Robotic Process Automation with Automation Anywhere. Information about a security vulnerability affecting Microsoft SQL Server Express 2014 has been published in a security bulletin.
Refer to the security bulletin(s) listed in the Remediation/Fixes section
The affected part is the database communication between the Control Room and the Microsoft SQL Server database.
DESCRIPTION: IBM Robotic Process Automation with Automation Anywhere could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plain text of encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
IBM Robotic Process Automation with Automation Anywhere v10.0 and v10.0 CF2017.12
Refer to the following security bulletins for vulnerability details and information about fixes addressed by Microsoft SQL Server Expresss 2014 which is shipped with IBM Robotic Process Automation with Automation Anywhere.
Principal Product and Versions | Affected Supporting Product and Versions | Affected Supporting Product Security Bulletin |
---|---|---|
IBM Robotic Process Automation with Automation Anywhere | Microsoft SQL Server Express 2014 | Microsoft security advisory: Vulnerability in SSL 3.0 could allow information disclosure: October 15, 2014 |
The provided Microsoft SQL Server Express installation image in the IBM Robotic Process Automation with Automation Anywhere Control Room installation package is at level 2014 SP1 Cumulative Update 4 which defaults database communication to SSLv3 to clients. IBM recommends upgrading to the latest Cumulative Update of Microsoft SQL Server Express 2014. Upgrading to Cumulative Update 5 and later changes communication to TLS 1.2. See the Microsoft SQL Server article on enabling TLS 1.2 protocols. |
Upgrading to Microsoft SQL Server Express SP1 Cumulative Update 5 and later resolves CVE-2014-3566 with the provided express install. No configuration change is needed for IBM Robotic Process Automation with Automation Anywhere.
CPE | Name | Operator | Version |
---|---|---|---|
ibm robotic process automation with automation anywhere | eq | 10.0 |
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N