Security Bulletin: Vulnerability in Bouncy Castle Crypto Package For Java affects IBM Process Mining CVE-2024-34447

Summary

There is a vulnerability in Bouncy Castle Crypto Package For Java that could allow an attacker to perform a DNS poisoning attack on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability.

Vulnerability Details

CVEID:CVE-2024-34447
**DESCRIPTION:**The Bouncy Castle Crypto Package For Java could allow a remote attacker to bypass security restrictions, caused by a flaw when endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname. By sending a specially crafted request, an attacker could exploit this vulnerability to perform DNS poisoning attack.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/289933 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

Any open source library may be included in one or more sub-components of IBM Process Mining. Open source updates are not always synchronized across all components. The CVE in this bulletin are specifically addressed by

Installing a Production deployment
1.**To deploy a Production deployment, see installing on
RedHat OpenShift Container Platform environments

**Upgrading an Installation **** **1.To perform an upgrade of a Production deployment, see
upgrading in RedHat OpenShift Container Platform
environments
IBM Process Mining traditional| 1.14.4, 1.14.3, 1.14.2, 1.14.1, 1.14.0| **Install/Upgrade to version 1.15.0

** 1.Login to PassPortAdvantage
2.Search for
M0JHZML Process Mining 1.15.0 Server Multiplatform
Multilingual
3.Download package
4.Follow install instructions
5.Repeat for M0JJ0ML Process Mining 1.15.0 Client
Windows Multilingual
| | ** **

Workarounds and Mitigations

None known