Lucene search

K
ibmIBMF9D401C3BEE7686110EB3656E6062DBFD73F805CF611114E5A4762B7A22DEC4E
HistoryMar 31, 2023 - 1:48 p.m.

Security Bulletin: Vulnerability in Apache Kafka may affect IBM Business Automation Workflow - CVE-2023-25194

2023-03-3113:48:35
www.ibm.com
27
apache kafka
ibm business automation workflow
vulnerability
remote authentication
arbitrary code execution
denial of service
container
traditional
enterprise service bus
security fix
cve-2023-25194

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.966

Percentile

99.7%

Summary

IBM Business Automation Workflow packages a copy Apache Kafka client library. A security vulnerability has been reported for the same version of Apache Kafka.

Vulnerability Details

**CVEID:**CVE-2023-25194 DESCRIPTION: Apache Kafka could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization when configuring the connector via the Kafka Connect REST API. By sending specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246698 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s) Status
IBM Business Automation Workflow containers V22.0.2 - V22.0.2.IF002
V22.0.1 all fixes
V21.0.3 - V21.0.3-IFIF018
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes affected
IBM Business Automation Workflow traditional V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3 affected
IBM Business Automation Workflow Enterprise Service Bus V22.0.2 affected
(library is present, but not used)

For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT196140 as soon as practical.

Affected Product(s) Version(s) Remediation / Fix
IBM Business Automation Workflow containers V22.0.2 Apply 22.0.2-IF003
IBM Business Automation Workflow containers V22.0.1 Upgrade to Business Automation Workflow on Containers 22.0.2 and apply 22.0.2-IF003
IBM Business Automation Workflow containers V21.0.3 Apply 21.0.3-IF019
or upgrade to 22.0.2-IF003 or later
IBM Business Automation Workflow containers V21.0.2
V20.0.0.1 - V20.0.0.2 Upgrade to 21.0.3-IF019
or upgrade to 22.0.2-IF003 or later
IBM Business Automation Workflow traditional and IBM Business Automation Workflow Enterprise Service Bus V22.0.2 Apply DT196140
IBM Business Automation Workflow traditional V21.0.3.1 Upgrade to IBM Business Automation Workflow traditional V22.0.2 and apply DT196140
IBM Business Automation Workflow traditional V20.0.0.2 Apply DT196140
or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT196140
IBM Business Automation Workflow traditional V22.0.1
V21.0.2
V20.0.0.1
V19.0.0.3 Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmbusiness_automation_workflowMatch22.0.2enterprise_service_bus
OR
ibmbusiness_automation_workflowMatch18.0.0.0
OR
ibmbusiness_automation_workflowMatch18.0.0.1
OR
ibmbusiness_automation_workflowMatch18.0.0.2
OR
ibmbusiness_automation_workflowMatch19.0.0.1
OR
ibmbusiness_automation_workflowMatch19.0.0.2
OR
ibmbusiness_automation_workflowMatch19.0.0.3
OR
ibmbusiness_automation_workflowMatch20.0.0.1
OR
ibmbusiness_automation_workflowMatch20.0.0.2
OR
ibmbusiness_automation_workflowMatch21.0.2
OR
ibmbusiness_automation_workflowMatch21.0.3
OR
ibmbusiness_automation_workflowMatch22.0.1
OR
ibmbusiness_automation_workflowMatch22.0.2
VendorProductVersionCPE
ibmbusiness_automation_workflow22.0.2cpe:2.3:a:ibm:business_automation_workflow:22.0.2:*:*:*:enterprise_service_bus:*:*:*
ibmbusiness_automation_workflow18.0.0.0cpe:2.3:a:ibm:business_automation_workflow:18.0.0.0:*:*:*:*:*:*:*
ibmbusiness_automation_workflow18.0.0.1cpe:2.3:a:ibm:business_automation_workflow:18.0.0.1:*:*:*:*:*:*:*
ibmbusiness_automation_workflow18.0.0.2cpe:2.3:a:ibm:business_automation_workflow:18.0.0.2:*:*:*:*:*:*:*
ibmbusiness_automation_workflow19.0.0.1cpe:2.3:a:ibm:business_automation_workflow:19.0.0.1:*:*:*:*:*:*:*
ibmbusiness_automation_workflow19.0.0.2cpe:2.3:a:ibm:business_automation_workflow:19.0.0.2:*:*:*:*:*:*:*
ibmbusiness_automation_workflow19.0.0.3cpe:2.3:a:ibm:business_automation_workflow:19.0.0.3:*:*:*:*:*:*:*
ibmbusiness_automation_workflow20.0.0.1cpe:2.3:a:ibm:business_automation_workflow:20.0.0.1:*:*:*:*:*:*:*
ibmbusiness_automation_workflow20.0.0.2cpe:2.3:a:ibm:business_automation_workflow:20.0.0.2:*:*:*:*:*:*:*
ibmbusiness_automation_workflow21.0.2cpe:2.3:a:ibm:business_automation_workflow:21.0.2:*:*:*:*:*:*:*
Rows per page:
1-10 of 131

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.966

Percentile

99.7%