Lucene search

K
ibmIBMF2CBB3D4B618DD7C213E19E240FA6B48C890506554AA2D0F5052FC60BB211A77
HistorySep 20, 2023 - 2:08 p.m.

Security Bulletin: A vulnerability in Apache Johnzon may affect IBM Robotic Process Automation and result in a denial of service (CVE-2023-33008)

2023-09-2014:08:58
www.ibm.com
8
ibm
robotic process automation
apache johnzon
denial of service
vulnerability
cve-2023-33008

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0.002 Low

EPSS

Percentile

53.0%

Summary

There is a vulnerability in Apache Jonzon used by IBM Robotic Process Automation as part of the IBM Licensing and Metris Tool, which may result in a denial of service (CVE-2023-33008). This bulletin identifies the security fixes to apply to address this vulnerability.

Vulnerability Details

CVEID:CVE-2023-33008
**DESCRIPTION:**Apache Johnzon is vulnerable to a denial of service, caused by an unsafe deserialization flaw in BigDecimal. By sending a specially crafted JSON input, a remote attacker could exploit this vulnerability to cause a slow conversion, and results in a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259976 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Robotic Process Automation 21.0.0 - 21.0.7.8, 23.0.0 - 23.0.9
IBM Robotic Process Automation for Cloud Pak 21.0.0 - 21.0.7.8, 23.0.0 - 23.0.9

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product(s) **Version(s) number and/or range ** Remediation/Fix/Instructions
IBM Robotic Process Automation 21.0.0 - 21.0.7.8 Download 21.0.7.9 or higher and follow these instructions.
IBM Robotic Process Automation for Cloud Pak 21.0.0 - 21.0.7.8 Update to 21.0.7.9 or higher using the following instructions.
IBM Robotic Process Automation 23.0.0 - 23.0.9 Download 23.0.10 or higher and follow these instructions.

IBM Robotic Process Automation for Cloud Pak

| 23.0.0 - 23.0.9| Update to 23.0.10 or higher using the following instructions.

Workarounds and Mitigations

None.

Affected configurations

Vulners
Node
ibmrobotic_process_automationMatch21.0.0
OR
ibmrobotic_process_automationMatch21.0.7.8
OR
ibmrobotic_process_automationMatch23.0.0
OR
ibmrobotic_process_automationMatch23.0.9

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0.002 Low

EPSS

Percentile

53.0%

Related for F2CBB3D4B618DD7C213E19E240FA6B48C890506554AA2D0F5052FC60BB211A77