IBM087779B306CCE3B086A95BF5C7B5DE86DAF8E2E252170714A7A164E3F9AB1FFFSecurity Bulletin: Multiple vulnerabilities in go and opm affect IBM Robotic Process Automation.
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
76.2%
Summary
Multiple vulnerabilities in go and opm affect IBM Robotic Process Automation. IBM MQ is used by IBM Robotic Process Automation for message queueing. This bulletin identifies the security fixes to apply to address the vulnerability.
Vulnerability Details
CVEID:CVE-2017-11468
**DESCRIPTION:**Docker Registry is vulnerable to a denial of service, caused by the failure to restrict content sizes. An attacker could exploit this vulnerability to cause memory consumption.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/129343 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2021-41190
**DESCRIPTION:**Open Container Initiative Distribution Specification could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when a Content-Type header changed between two pulls of the same digest. By sending a specially-crafted request, an attacker could exploit this vulnerability to cause a client to interpret the resulting content differently.
CVSS Base score: 3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/213802 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N)
CVEID:CVE-2023-39318
**DESCRIPTION:**Golang Go is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the html/template package. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265941 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2023-39319
**DESCRIPTION:**Golang Go is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the html/template package. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265942 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2023-39323
**DESCRIPTION:**Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by improper enforcement of line directive restrictions in the “//go:cgo_” directives. By providing specially crafted input in the linker and compiler flags, an attacker could exploit this vulnerability to execute arbitrary code on the system. Note: The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268524 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2023-45142
**DESCRIPTION:**OpenTelemetry OpenTelemetry-Go Contrib is vulnerable to a denial of service, caused by an unbound cardinality metrics flaw in otelhttp. By sending specially crafted HTTP requests, a remote attacker could exploit this vulnerability to cause a resource consumption, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268837 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-45283
**DESCRIPTION:**Golang Go could allow a remote attacker to traverse directories on the system, caused by the failure to recognize paths with a ??\ prefix as a Root Local Device path prefix in the filepath and safefilepath package. An attacker could send a specially crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270990 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2023-45284
**DESCRIPTION:**Golang Go could provide weaker than expected security, caused by the failure to correctly detect reserved device names in some cases by the IsLocal function in the filepath package. An attacker could exploit this vulnerability to report “COM1”, and reserved names “COM” and “LPT” followed by superscript 1, 2, or 3 as local.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/270989 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2023-49568
**DESCRIPTION:**go-git is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted responses from a Git server, a remote attacker could exploit this vulnerability to trigger resource exhaustion in go-git clients, and results in a denial of service conditoin.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279389 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-49569
**DESCRIPTION:**go-git could allow a remote attacker to traverse directories on the system. By sending a specially crafted request using the ChrootOS <https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS>, an attacker could exploit this vulnerability to create and amend files across the filesystem and possibly execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279932 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Robotic Process Automation for Cloud Pak | 21.0.0 - 21.0.7.14, 23.0.0 - 23.0.14 |
| IBM Robotic Process Automation | 21.0.0 - 21.0.7.14, 23.0.0 - 23.0.14 |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now.
| Product(s) | **Version(s) number and/or range ** | Remediation/Fix/Instructions |
|---|---|---|
| IBM Robotic Process Automation | 21.0.0 - 21.0.7.14 | Download 21.0.7.15 or higher and follow these instructions. |
| IBM Robotic Process Automation for Cloud Pak | 21.0.0 - 21.0.7.14 | Update to 21.0.7.15 or higher using the following instructions. |
| IBM Robotic Process Automation | 23.0.0 - 23.0.14 | Download 23.0.15 or higher and follow these instructions. |
IBM Robotic Process Automation for Cloud Pak
| 23.0.0 - 23.0.14| Update to 23.0.15 or higher using the following instructions.
Workarounds and Mitigations
None.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | robotic_process_automation | 21.0.0 | cpe:2.3:a:ibm:robotic_process_automation:21.0.0:*:*:*:*:*:*:* |
| ibm | robotic_process_automation | 21.0.7.14 | cpe:2.3:a:ibm:robotic_process_automation:21.0.7.14:*:*:*:*:*:*:* |
| ibm | robotic_process_automation | 23.0.0 | cpe:2.3:a:ibm:robotic_process_automation:23.0.0:*:*:*:*:*:*:* |
| ibm | robotic_process_automation | 23.0.14 | cpe:2.3:a:ibm:robotic_process_automation:23.0.14:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
76.2%