Lucene search

IBM68BA551F0CBBF4ECD9D0B0112A9B38B8FA75CF527A52D767B539C95925E63C26

HistorySep 29, 2022 - 2:43 p.m.

Security Bulletin: IBM Robotic Process Automation may be vulnerable to spoofing attacks due to System.Security.Cryptography.Xml (CVE-2022-34716))

2022-09-2914:43:28

www.ibm.com

ibm robotic process automation

spoofing attacks

xml signature verification

system.security.cryptography.xml

cve-2022-34716

.net framework

vulnerability

ibm cloud pak

remediation.

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

46.8%

JSON

Summary

System.Security.Cryptography.Xml is used by IBM Robotic Process Automation as part of the .NET Framework (CVE-2022-34716)

Vulnerability Details

CVEID:CVE-2022-34716
**DESCRIPTION:**Microsoft .NET could allow a remote attacker to conduct spoofing attacks, caused by improper XML signature verification in the System.Security.Cryptography.Xml.SignedXml implementation. By conducting an XML external entity injection attack, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/232148 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Robotic Process Automation for Cloud Pak	< 21.0.5
IBM Robotic Process Automation	< 21.0.5

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product(s)	Version(s) number and/or range	Remediation/Fix/Instructions
IBM Robotic Process Automation	< 21.0.5	Download 21.0.5 and follow instructions.
IBM Robotic Process Automation for Cloud Pak	< 21.0.5	Download 21.0.5 and follow instructions.

Workarounds and Mitigations

None.

Affected configurations

Vulners

Node

ibmrobotic_process_automationMatch21.0.0

ibmrobotic_process_automationMatch21.0.1

ibmrobotic_process_automationMatch21.0.2

ibmrobotic_process_automationMatch21.0.3

ibmrobotic_process_automationMatch21.0.4

VendorProductVersionCPE
ibmrobotic_process_automation21.0.0cpe:2.3:a:ibm:robotic_process_automation:21.0.0:*:*:*:*:*:*:*
ibmrobotic_process_automation21.0.1cpe:2.3:a:ibm:robotic_process_automation:21.0.1:*:*:*:*:*:*:*
ibmrobotic_process_automation21.0.2cpe:2.3:a:ibm:robotic_process_automation:21.0.2:*:*:*:*:*:*:*
ibmrobotic_process_automation21.0.3cpe:2.3:a:ibm:robotic_process_automation:21.0.3:*:*:*:*:*:*:*
ibmrobotic_process_automation21.0.4cpe:2.3:a:ibm:robotic_process_automation:21.0.4:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	robotic_process_automation	21.0.0	cpe:2.3:a:ibm:robotic_process_automation:21.0.0:::::::*
ibm	robotic_process_automation	21.0.1	cpe:2.3:a:ibm:robotic_process_automation:21.0.1:::::::*
ibm	robotic_process_automation	21.0.2	cpe:2.3:a:ibm:robotic_process_automation:21.0.2:::::::*
ibm	robotic_process_automation	21.0.3	cpe:2.3:a:ibm:robotic_process_automation:21.0.3:::::::*
ibm	robotic_process_automation	21.0.4	cpe:2.3:a:ibm:robotic_process_automation:21.0.4:::::::*