Lucene search

IBM9F1FB581B6AFF8334C1EAD6DEE1E31366C8D29EEFE26A24D1CCA363D74970A09

HistoryJul 21, 2023 - 4:51 p.m.

Security Bulletin: Multiple vulnerabilities affect the embedded Content Navigator in Business Automation Workflow - CVE-2023-24998, 254437

2023-07-2116:51:31

www.ibm.com

ibm

content navigator

business automation workflow

vulnerabilities

cve-2023-24998

cve-2023-254437

denial of service

rsa1_5

remote attacker

dt197398

upgrade

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.026

Percentile

90.5%

JSON

Summary

The embedded Content Navigator in IBM Business Automation Workflow is affected by multiple vulnerabilities.

Vulnerability Details

CVEID:CVE-2023-24998
**DESCRIPTION:**Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by not limit the number of request parts to be processed in the file upload function. By sending a specially-crafted request with series of uploads, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247895 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**IBM X-Force ID:**254437
**DESCRIPTION:**Jose4J could allow a remote attacker to obtain sensitive information, caused by a chosen ciphertext attack in RSA1_5. By using cryptographic attack techniques, an attacker could exploit this vulnerability to decrypt RSA1_5 or RSA_OAEP encrypted ciphertexts.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254437 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)	Status
IBM Business Automation Workflow traditional

V23.0.1

| not affected
IBM Business Automation Workflow traditional |

V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3

| affected

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT197398 as soon as practical.

Affected Product(s)	Version(s)	Remediation / Fix
IBM Business Automation Workflow traditional	V22.0.2	Apply DT197398 or upgrade to IBM Business Automation Workflow traditional V23.0.1
IBM Business Automation Workflow traditional	V21.0.3.1	Apply DT197398 or upgrade to IBM Business Automation Workflow traditional V23.0.1
IBM Business Automation Workflow traditional	V20.0.0.2	Apply DT197398 or upgrade to IBM Business Automation Workflow traditional V23.0.1
IBM Business Automation Workflow traditional	V22.0.1
V21.0.2
V20.0.0.1
V19.0.0.3	Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmbusiness_automation_workflowMatch18.0.0.0

ibmbusiness_automation_workflowMatch18.0.0.1

ibmbusiness_automation_workflowMatch18.0.0.2

ibmbusiness_automation_workflowMatch19.0.0.1

ibmbusiness_automation_workflowMatch19.0.0.2

ibmbusiness_automation_workflowMatch19.0.0.3

ibmbusiness_automation_workflowMatch20.0.0.1

ibmbusiness_automation_workflowMatch20.0.0.2

ibmbusiness_automation_workflowMatch21.0.2

ibmbusiness_automation_workflowMatch21.0.3

ibmbusiness_automation_workflowMatch22.0.1

ibmbusiness_automation_workflowMatch22.0.2

ibmbusiness_automation_workflowMatch22.0.2enterprise_service_bus

VendorProductVersionCPE
ibmbusiness_automation_workflow18.0.0.0cpe:2.3:a:ibm:business_automation_workflow:18.0.0.0:*:*:*:*:*:*:*
ibmbusiness_automation_workflow18.0.0.1cpe:2.3:a:ibm:business_automation_workflow:18.0.0.1:*:*:*:*:*:*:*
ibmbusiness_automation_workflow18.0.0.2cpe:2.3:a:ibm:business_automation_workflow:18.0.0.2:*:*:*:*:*:*:*
ibmbusiness_automation_workflow19.0.0.1cpe:2.3:a:ibm:business_automation_workflow:19.0.0.1:*:*:*:*:*:*:*
ibmbusiness_automation_workflow19.0.0.2cpe:2.3:a:ibm:business_automation_workflow:19.0.0.2:*:*:*:*:*:*:*
ibmbusiness_automation_workflow19.0.0.3cpe:2.3:a:ibm:business_automation_workflow:19.0.0.3:*:*:*:*:*:*:*
ibmbusiness_automation_workflow20.0.0.1cpe:2.3:a:ibm:business_automation_workflow:20.0.0.1:*:*:*:*:*:*:*
ibmbusiness_automation_workflow20.0.0.2cpe:2.3:a:ibm:business_automation_workflow:20.0.0.2:*:*:*:*:*:*:*
ibmbusiness_automation_workflow21.0.2cpe:2.3:a:ibm:business_automation_workflow:21.0.2:*:*:*:*:*:*:*
ibmbusiness_automation_workflow21.0.3cpe:2.3:a:ibm:business_automation_workflow:21.0.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	business_automation_workflow	18.0.0.0	cpe:2.3:a:ibm:business_automation_workflow:18.0.0.0:::::::*
ibm	business_automation_workflow	18.0.0.1	cpe:2.3:a:ibm:business_automation_workflow:18.0.0.1:::::::*
ibm	business_automation_workflow	18.0.0.2	cpe:2.3:a:ibm:business_automation_workflow:18.0.0.2:::::::*
ibm	business_automation_workflow	19.0.0.1	cpe:2.3:a:ibm:business_automation_workflow:19.0.0.1:::::::*
ibm	business_automation_workflow	19.0.0.2	cpe:2.3:a:ibm:business_automation_workflow:19.0.0.2:::::::*
ibm	business_automation_workflow	19.0.0.3	cpe:2.3:a:ibm:business_automation_workflow:19.0.0.3:::::::*
ibm	business_automation_workflow	20.0.0.1	cpe:2.3:a:ibm:business_automation_workflow:20.0.0.1:::::::*
ibm	business_automation_workflow	20.0.0.2	cpe:2.3:a:ibm:business_automation_workflow:20.0.0.2:::::::*
ibm	business_automation_workflow	21.0.2	cpe:2.3:a:ibm:business_automation_workflow:21.0.2:::::::*
ibm	business_automation_workflow	21.0.3	cpe:2.3:a:ibm:business_automation_workflow:21.0.3:::::::*