7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
63.9%
Case (history) event emitters in IBM Business Automation Workflow are affected by multiple vulnerabilities in jackson-databind.
CVEID:CVE-2022-42003
**DESCRIPTION:**FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in the primitive value deserializers when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. By sending a specially-crafted request using deep wrapper array nesting, a local attacker could exploit this vulnerability to exhaust all available resources.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237662 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-42004
**DESCRIPTION:**FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in in the BeanDeserializer._deserializeFromArray function. By sending a specially-crafted request using deeply nested arrays, a local attacker could exploit this vulnerability to exhaust all available resources.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237660 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) | Status |
---|---|---|
IBM Business Automation Workflow containers |
V22.0.2
| not affected
IBM Business Automation Workflow containers|
V22.0.1 - V22.0.1-IF004
V21.0.3 - V21.0.3-IF014
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes
| affected
IBM Business Automation Workflow traditional| V22.0.2| not affected
IBM Business Automation Workflow traditional| V22.0.1
V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3| affected
For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT169189 as soon as practical.
Affected Product(s) | Version(s) | Remediation / Fix |
---|---|---|
IBM Business Automation Workflow containers | V22.0.1 |
Apply 22.0.1-IF005
or Upgrade to Business Automation Workflow on Containers 22.0.2 or later
IBM Business Automation Workflow containers| V21.0.3| Apply 21.0.3-IF015
or Upgrade to Business Automation Workflow on Containers 22.0.2 or later
IBM Business Automation Workflow containers| V21.0.2
V20.0.0.1 - V20.0.0.2| Upgrade to 21.0.3-IF015
or Upgrade to Business Automation Workflow on Containers 22.0.2 or later
IBM Business Automation Workflow traditional| V22.0.1|
Upgrade to IBM Business Automation Workflow traditional V22.0.2 or later
IBM Business Automation Workflow traditional| V21.0.3.1 |
Apply DT169189
or upgrade to IBM Business Automation Workflow traditional V22.0.2 or later
IBM Business Automation Workflow traditional| V20.0.0.2| Apply DT169189
or upgrade to IBM Business Automation Workflow traditional V22.0.2 or later
IBM Business Automation Workflow traditional|
V21.0.2
V20.0.0.1
V19.0.0.1 - V19.0.0.3
earlier unsupported versions
| Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum
None
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
63.9%