CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
88.8%
In addition to many updates of operating system level packages, the following security vulnerability is addressed with IBM Cloud Pak for Business Automation 21.0.3-IF016 and 22.0.1-IF006.
CVEID:CVE-2017-10355
**DESCRIPTION:**An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/133784 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2022-42920
**DESCRIPTION:**Apache Commons BCEL could allow a remote attacker to bypass security restrictions, caused by an out-of-bounds write flaw in the APIs. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain control over the resulting bytecode than otherwise expected.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239562 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-2047
**DESCRIPTION:**Eclipse Jetty could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in the HttpURI class. By sending a specially-crafted request, an attacker could exploit this vulnerability to the HttpClient and ProxyServlet/AsyncProxyServlet/AsyncMiddleManServlet wrongly interpreting an authority with no host as one with a host.
CVSS Base score: 2.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230668 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2022-42435
**DESCRIPTION:**IBM Business Automation Workflow is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238054 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
Affected Product(s) | Version(s) | Status |
---|
IBM Cloud Pak for Business Automation
| V22.0.1 - V22.0.1-IF005| affected
IBM Cloud Pak for Business Automation| V21.0.3 - V21.0.3-IF015| affected
IBM Cloud Pak for Business Automation|
V21.0.2 - V21.0.2-IF012 and later fixes
V21.0.1 - V21.0.1-IF007 and later fixes
V20.0.1 - V20.0.3 and later fixes
V19.0.1 - V19.0.3 and later fixes
V18.0.0 - V18.0.2 and later fixes
| affected
Any open source library may be included in one or more sub-components of IBM Cloud Pak for Business Automation. Open source updates are not always synchronized across all components. The CVE in this bulletin are specifically addressed by
CVE ID | Addressed in component |
---|---|
CVE-2022-2047 | Operational Decision Management component |
CVE-2022-42435 | Business Automation Workflow Component |
CVE-2017-10355 | Automation Decision Service Component |
CVE-2022-42920 | Business Automation Workflow / Workflow Process Service / Business Automation Studio |
Affected Product(s) | Version(s) | Remediation / Fix |
---|---|---|
IBM Cloud Pak for Business Automation | V22.0.1 - V22.0.1-IF005 | Apply security fix 22.0.1-IF006 |
IBM Cloud Pak for Business Automation | V21.0.3 - V21.0.3-IF015 | Apply security fix 21.0.3-IF016 or upgrade to 22.0.1-IF006 |
IBM Cloud Pak for Business Automation | V21.0.1 - V21.0.1-IF008 | |
V20.0.1 - V20.0.3 | ||
V19.0.1 - V19.0.3 | ||
V18.0.0 - V18.0.2 | Upgrade to 21.0.3-IF016 or 22.0.1-IF006 |
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | cloud_pak_for_automation | 18.0.0 | cpe:2.3:a:ibm:cloud_pak_for_automation:18.0.0:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 18.0.1 | cpe:2.3:a:ibm:cloud_pak_for_automation:18.0.1:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 18.0.2 | cpe:2.3:a:ibm:cloud_pak_for_automation:18.0.2:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 19.0.1 | cpe:2.3:a:ibm:cloud_pak_for_automation:19.0.1:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 19.0.2 | cpe:2.3:a:ibm:cloud_pak_for_automation:19.0.2:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 19.0.3 | cpe:2.3:a:ibm:cloud_pak_for_automation:19.0.3:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 20.0.1 | cpe:2.3:a:ibm:cloud_pak_for_automation:20.0.1:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 20.0.2 | cpe:2.3:a:ibm:cloud_pak_for_automation:20.0.2:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 20.0.3 | cpe:2.3:a:ibm:cloud_pak_for_automation:20.0.3:*:*:*:*:*:*:* |
ibm | cloud_pak_for_automation | 21.0.1 | cpe:2.3:a:ibm:cloud_pak_for_automation:21.0.1:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
88.8%