IBMF9D401C3BEE7686110EB3656E6062DBFD73F805CF611114E5A4762B7A22DEC4ESecurity Bulletin: Vulnerability in Apache Kafka may affect IBM Business Automation Workflow - CVE-2023-25194
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.969 High
EPSS
Percentile
99.7%
Summary
IBM Business Automation Workflow packages a copy Apache Kafka client library. A security vulnerability has been reported for the same version of Apache Kafka.
Vulnerability Details
CVEID:CVE-2023-25194
**DESCRIPTION:**Apache Kafka could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization when configuring the connector via the Kafka Connect REST API. By sending specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246698 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) | Status |
|---|---|---|
| IBM Business Automation Workflow containers |
V22.0.2 - V22.0.2.IF002
V22.0.1 all fixes
V21.0.3 - V21.0.3-IFIF018
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes
| affected
IBM Business Automation Workflow traditional| V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3| affected
IBM Business Automation Workflow Enterprise Service Bus| V22.0.2| affected
(library is present, but not used)
For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT196140 as soon as practical.
| Affected Product(s) | Version(s) | Remediation / Fix |
|---|---|---|
| IBM Business Automation Workflow containers | V22.0.2 | Apply 22.0.2-IF003 |
| IBM Business Automation Workflow containers | V22.0.1 | Upgrade to Business Automation Workflow on Containers 22.0.2 and apply 22.0.2-IF003 |
| IBM Business Automation Workflow containers | V21.0.3 | Apply 21.0.3-IF019 |
| or upgrade to 22.0.2-IF003 or later | ||
| IBM Business Automation Workflow containers | V21.0.2 | |
| V20.0.0.1 - V20.0.0.2 | Upgrade to 21.0.3-IF019 | |
| or upgrade to 22.0.2-IF003 or later | ||
| IBM Business Automation Workflow traditional and IBM Business Automation Workflow Enterprise Service Bus | V22.0.2 | Apply DT196140 |
| IBM Business Automation Workflow traditional | V21.0.3.1 | Upgrade to IBM Business Automation Workflow traditional V22.0.2 and apply DT196140 |
| IBM Business Automation Workflow traditional | V20.0.0.2 | Apply DT196140 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT196140 | ||
| IBM Business Automation Workflow traditional | V22.0.1 | |
| V21.0.2 | ||
| V20.0.0.1 | ||
| V19.0.0.3 | Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum |
Workarounds and Mitigations
None
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.969 High
EPSS
Percentile
99.7%