Security Bulletin: A vulnerability in Apache Johnzon may affect IBM Robotic Process Automation and result in a denial of service (CVE-2023-33008)

2023-09-2014:08:58

www.ibm.com

ibm

robotic process automation

apache johnzon

denial of service

vulnerability

cve-2023-33008

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0.002 Low

EPSS

Percentile

53.0%

JSON

Summary

There is a vulnerability in Apache Jonzon used by IBM Robotic Process Automation as part of the IBM Licensing and Metris Tool, which may result in a denial of service (CVE-2023-33008). This bulletin identifies the security fixes to apply to address this vulnerability.

Vulnerability Details

CVEID:CVE-2023-33008
**DESCRIPTION:**Apache Johnzon is vulnerable to a denial of service, caused by an unsafe deserialization flaw in BigDecimal. By sending a specially crafted JSON input, a remote attacker could exploit this vulnerability to cause a slow conversion, and results in a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259976 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Robotic Process Automation	21.0.0 - 21.0.7.8, 23.0.0 - 23.0.9
IBM Robotic Process Automation for Cloud Pak	21.0.0 - 21.0.7.8, 23.0.0 - 23.0.9

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product(s)	Version(s) number and/or range	Remediation/Fix/Instructions
IBM Robotic Process Automation	21.0.0 - 21.0.7.8	Download 21.0.7.9 or higher and follow these instructions.
IBM Robotic Process Automation for Cloud Pak	21.0.0 - 21.0.7.8	Update to 21.0.7.9 or higher using the following instructions.
IBM Robotic Process Automation	23.0.0 - 23.0.9	Download 23.0.10 or higher and follow these instructions.

IBM Robotic Process Automation for Cloud Pak

| 23.0.0 - 23.0.9| Update to 23.0.10 or higher using the following instructions.

Workarounds and Mitigations

None.

Affected configurations

Vulners

Node

ibmrobotic_process_automationMatch21.0.0

ibmrobotic_process_automationMatch21.0.7.8

ibmrobotic_process_automationMatch23.0.0

ibmrobotic_process_automationMatch23.0.9

CPENameOperatorVersion
ibm robotic process automationeq21.0.0
ibm robotic process automationeq21.0.7.8
ibm robotic process automationeq23.0.0
ibm robotic process automationeq23.0.9

Name	Operator	Version
ibm robotic process automation	eq	21.0.0
ibm robotic process automation	eq	21.0.7.8
ibm robotic process automation	eq	23.0.0
ibm robotic process automation	eq	23.0.9