IBM45D65056DE531CDD771BD40549616090DFC345FD0B4BF9567D5BF295C803C7C6Security Bulletin: Vulnerability in spring-expressions may affect IBM Business Automation Workflow - CVE-2023-20863
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
0.003 Low
EPSS
Percentile
70.0%
Summary
IBM Business Automation Workflow packages a vulnerable copy of spring-expressions in BPM/Lombardi/lib.
Vulnerability Details
CVEID:CVE-2023-20863
**DESCRIPTION:**VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted SpEL expression, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/252807 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) | Status |
|---|---|---|
| IBM Business Automation Workflow containers |
V22.0.2 - V22.0.2.IF004
V22.0.1 all fixes
V21.0.3 - V21.0.3-IF020
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes
| affected
IBM Business Automation Workflow traditional| V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3| affected
IBM Business Automation Workflow Enterprise Service Bus| V22.0.2| affected
For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT211505 as soon as practical.
| Affected Product(s) | Version(s) | Remediation / Fix |
|---|---|---|
| IBM Business Automation Workflow containers | V22.0.2 | Apply 22.0.2-IF005 |
| IBM Business Automation Workflow containers | V22.0.1 | Upgrade to Business Automation Workflow on Containers 22.0.2 and apply 22.0.2-IF005 |
| IBM Business Automation Workflow containers | V21.0.3 | Apply 21.0.3-IF021 |
| or upgrade to 22.0.2-IF005 or later | ||
| IBM Business Automation Workflow containers | V21.0.2 | |
| V20.0.0.1 - V20.0.0.2 | Upgrade to 21.0.3-IF021 | |
| or upgrade to 22.0.2-IF005 or later | ||
| IBM Business Automation Workflow traditional and IBM Business Automation Workflow Enterprise Service Bus | V22.0.2 | Apply DT211505 |
| IBM Business Automation Workflow traditional | V21.0.3.1 | DT211505 or |
| Upgrade to IBM Business Automation Workflow traditional V22.0.2 and apply DT211505 | ||
| IBM Business Automation Workflow traditional | V20.0.0.2 | Apply DT211505 |
| or upgrade to IBM Business Automation Workflow traditional V22.0.2 or later and apply DT211505 | ||
| IBM Business Automation Workflow traditional | V22.0.1 | |
| V21.0.2 | ||
| V20.0.0.1 | ||
| V19.0.0.3 | Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum |
Workarounds and Mitigations
None
Affected configurations
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
0.003 Low
EPSS
Percentile
70.0%