Lucene search

IBM0D4B6BFB14C6C0B81EB004A40459B68BC567D057CBCF547BC2B689F338AC23D4

HistoryJan 03, 2024 - 9:30 p.m.

Security Bulletin: Vulnerabilities in Watson NLP and WebSphere Liberty may affect IBM Robotic Process Automation for Cloud Pak

2024-01-0321:30:42

www.ibm.com

ibm robotic process automation

cloud pak

watson nlp

websphere liberty

python

gnu gdb

cve-2022-48565

cve-2023-39129

xxe

denial of service

heap use-after-free

ibm

security vulnerability

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.002

Percentile

64.9%

JSON

Summary

Python is used by IBM Robotic Process Automation for Cloud Pak as part of Watson NLP and WebSphere Liberty. (CVE-2022-48565). GNU gdb is used by IBM Robotic Process Automation for Cloud Pak as part of WebSphere Liberty and base container images. (CVE-2023-39129).

Vulnerability Details

CVEID:CVE-2022-48565
**DESCRIPTION:**Python could allow a local authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the plistlib module. By using a specially crafted XML content, a remote attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264547 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-39129
**DESCRIPTION:**GNU gdb is vulnerable to a denial of service, caused by a heap use-after-free flaw in the add_pe_exported_sym function in /gdb/coff-pe-read.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261649 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Robotic Process Automation for Cloud Pak	21.0.0 - 21.0.7.10, 23.0.0 - 23.0.10

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product(s)	Version(s) number and/or range	Remediation/Fix/Instructions
IBM Robotic Process Automation for Cloud Pak	21.0.0 - 21.0.7.10	Update to 21.0.7.11 or higher using the following instructions.

IBM Robotic Process Automation for Cloud Pak

| 23.0.0 - 23.0.10| Update to 23.0.11 or higher using the following instructions.

Workarounds and Mitigations

None.

Affected configurations

Vulners

Node

ibmrobotic_process_automationMatch21.0.0

ibmrobotic_process_automationMatch21.0.7.10

ibmrobotic_process_automationMatch23.0.0

ibmrobotic_process_automationMatch23.0.10

VendorProductVersionCPE
ibmrobotic_process_automation21.0.0cpe:2.3:a:ibm:robotic_process_automation:21.0.0:*:*:*:*:*:*:*
ibmrobotic_process_automation21.0.7.10cpe:2.3:a:ibm:robotic_process_automation:21.0.7.10:*:*:*:*:*:*:*
ibmrobotic_process_automation23.0.0cpe:2.3:a:ibm:robotic_process_automation:23.0.0:*:*:*:*:*:*:*
ibmrobotic_process_automation23.0.10cpe:2.3:a:ibm:robotic_process_automation:23.0.10:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	robotic_process_automation	21.0.0	cpe:2.3:a:ibm:robotic_process_automation:21.0.0:::::::*
ibm	robotic_process_automation	21.0.7.10	cpe:2.3:a:ibm:robotic_process_automation:21.0.7.10:::::::*
ibm	robotic_process_automation	23.0.0	cpe:2.3:a:ibm:robotic_process_automation:23.0.0:::::::*
ibm	robotic_process_automation	23.0.10	cpe:2.3:a:ibm:robotic_process_automation:23.0.10:::::::*