IBM74E9F8E6E5184FBCEB498F0196FD5CD0F80F1B6DBE62511384650C15E9A2E7C8Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow - CVE-2022-34917
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
48.3%
Summary
Event emitters for Business Automation Insights in IBM Business Automation Workflow are affected by a Denial of Service attack.
Vulnerability Details
CVEID:CVE-2022-34917
**DESCRIPTION:**Apache Kafka is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to allocate large amounts of memory on brokers, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236498 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) | Status |
|---|---|---|
| IBM Business Automation Workflow containers | V22.0.1 - V22.0.1-IF003 | |
| V21.0.3 - V21.0.3-IF013 | ||
| V21.0.2 all fixes | ||
| V20.0.0.2 all fixes | ||
| V20.0.0.1 all fixes | affected | |
| IBM Business Automation Workflow traditional | V22.0.1 | |
| V21.0.1 - V21.0.3.1 | ||
| V20.0.0.1 - V20.0.0.2 | ||
| V19.0.0.1 - V19.0.0.3 | affected |
For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT160695 as soon as practical.
| Affected Product(s) | Version(s) | Remediation / Fix |
|---|---|---|
| IBM Business Automation Workflow containers | V22.0.1 | Apply 22.0.1-IF004 |
| IBM Business Automation Workflow containers | V21.0.3 | Apply 21.0.3-IF014 |
| or upgrade to 22.0.1-IF004 or later | ||
| IBM Business Automation Workflow containers | V21.0.2 | |
| V20.0.0.1 - V20.0.0.2 | Upgrade to 21.0.3-IF014 | |
| or upgrade to 22.0.1-IF004 or later | ||
| IBM Business Automation Workflow traditional | V22.0.1 | Apply DT160695 |
| IBM Business Automation Workflow traditional | V21.0.3.x | Apply DT160695 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT160695 | ||
| IBM Business Automation Workflow traditional | V21.0.2 | Upgrade to IBM Business Automation Workflow 21.0.3 and apply DT160695 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT160695 | ||
| IBM Business Automation Workflow traditional | V20.0.0.2 | Apply DT160695 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT160695 | ||
| IBM Business Automation Workflow traditional | V20.0.0.1 | Upgrade to IBM Business Automation Workflow v20.0.0.2 and apply DT160695 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT160695 | ||
| IBM Business Automation Workflow traditional | V19.0.0.3 | Apply DT160695 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT160695 | ||
| IBM Business Automation Workflow traditional | V19.0.0.1 - V19.0.0.2 | Upgrade to IBM Business Automation Workflow 19.0.0.3 and apply DT160695 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT160695 |
Workarounds and Mitigations
None
Affected configurations
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
48.3%