IBM4B75A64A106BF738114A5DE60A0ECBE13653DF86F60F7A5D0635A0FA5D0FEDA6Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for August 2022
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
71.9%
Summary
In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.3-IF012 and 22.0.1-IF002.
Vulnerability Details
CVEID:CVE-2021-35561
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Utility component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211637 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2022-35279
**DESCRIPTION:**IBM Business Automation Workflow could disclose sensitive version information to authenticated users which could be used in further attacks against the system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230537 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2022-21496
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224777 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2022-21434
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224718 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2022-21443
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224726 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2022-25896
**DESCRIPTION:**Node.js passport module could allow a remote attacker to hijack a user’s session, caused by a session fixation vulnerability. An attacker could exploit this vulnerability to hijack sessions that were regenerated instead of closed.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230257 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L)
CVEID:CVE-2022-35644
**DESCRIPTION:**IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230957 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2022-22476
**DESCRIPTION:**IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request. IBM X-Force ID: 225604.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225604 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2018-25031
**DESCRIPTION:**swagger-ui could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a specially-crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217346 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVEID:CVE-2022-21299
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217594 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2022-28948
**DESCRIPTION:**Go-Yaml is vulnerable to a denial of service, caused by a flaw in the Unmarshal function. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause the program to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226978 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
**IBM X-Force ID:**221508
**DESCRIPTION:**Swagger UI could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the OpenAPI definitions. An attacker could exploit this vulnerability using the ?url parameter in a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221508 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) | Status |
|---|
IBM Cloud Pak for Business Automation
| V22.0.1 - V22.0.1-IF001| affected
IBM Cloud Pak for Business Automation| V21.0.3 - V21.0.3-IF011| affected
IBM Cloud Pak for Business Automation|
V21.0.2 - V21.0.2-IF012 and later fixes
V21.0.1 - V21.0.1-IF007 and later fixes
V20.0.1 - V20.0.3 and later fixes
V19.0.1 - V19.0.3 and later fixes
V18.0.0 - V18.0.2 and later fixes
| affected
Remediation/Fixes
Any open source library may be included in one or more sub-components of IBM Cloud Pak for Business Automation. Open source updates are not always synchronized across all components. The CVEs in this bulletin are specifically addressed by
| CVE ID | Addressed in component |
|---|---|
| CVE-2022-25896 | Business Automation Application component |
| CVE-2022-35644, CVE-2022-35279 | Business Automation Studio component, Business Automation Workflow component, Workflow Process Service component |
| CVE-2022-28948 | Business Teams Service operator |
| CVE-2022-21496, CVE-2022-21434, CVE-2022-21443, CVE-2022-21299, CVE-2021-35561 | All Java based components |
| CVE-2018-25031 | Business Automation Workflow component (Process Federation Server) |
| CVE-2022-22476 | all Liberty based components |
| Affected Product(s) | Version(s) | Remediation / Fix |
|---|---|---|
| IBM Cloud Pak for Business Automation | V22.0.1 | Apply security fix 22.0.1-IF002 |
| IBM Cloud Pak for Business Automation | V21.0.3 - V21.0.3-IF010 | Apply security fix 21.0.3-IF012 or upgrade to 22.0.1-IF002 |
| IBM Cloud Pak for Business Automation | V21.0.1 - V21.0.1-IF008 | |
| V20.0.1 - V20.0.3 | ||
| V19.0.1 - V19.0.3 | ||
| V18.0.0 - V18.0.2 | Upgrade to 21.0.3-IF012 or 22.0.1-IF002 |
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | cloud_pak_for_automation | 18.0.0 | cpe:2.3:a:ibm:cloud_pak_for_automation:18.0.0:*:*:*:*:*:*:* |
| ibm | cloud_pak_for_automation | 18.0.1 | cpe:2.3:a:ibm:cloud_pak_for_automation:18.0.1:*:*:*:*:*:*:* |
| ibm | cloud_pak_for_automation | 18.0.2 | cpe:2.3:a:ibm:cloud_pak_for_automation:18.0.2:*:*:*:*:*:*:* |
| ibm | cloud_pak_for_automation | 19.0.1 | cpe:2.3:a:ibm:cloud_pak_for_automation:19.0.1:*:*:*:*:*:*:* |
| ibm | cloud_pak_for_automation | 19.0.2 | cpe:2.3:a:ibm:cloud_pak_for_automation:19.0.2:*:*:*:*:*:*:* |
| ibm | cloud_pak_for_automation | 19.0.3 | cpe:2.3:a:ibm:cloud_pak_for_automation:19.0.3:*:*:*:*:*:*:* |
| ibm | cloud_pak_for_automation | 20.0.1 | cpe:2.3:a:ibm:cloud_pak_for_automation:20.0.1:*:*:*:*:*:*:* |
| ibm | cloud_pak_for_automation | 20.0.2 | cpe:2.3:a:ibm:cloud_pak_for_automation:20.0.2:*:*:*:*:*:*:* |
| ibm | cloud_pak_for_automation | 20.0.3 | cpe:2.3:a:ibm:cloud_pak_for_automation:20.0.3:*:*:*:*:*:*:* |
| ibm | cloud_pak_for_automation | 21.0.1 | cpe:2.3:a:ibm:cloud_pak_for_automation:21.0.1:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
71.9%