IBMC9E069F9CD84BC26CD38120FC7394C7675331FE9F26188DB036877F298F233ECSecurity Bulletin: IBM Process Federation Server REST API is subject to DoS attacks
EPSS
Percentile
32.8%
Summary
IBM Process Federation Server Global Teams REST API does not properly shut down the thread pools that it creates, leading to OutOfMemory exceptions, and could be targeted by DoS attacks.
Vulnerability Details
CVEID:CVE-2020-4325
**DESCRIPTION:**The IBM Process Federation Server Global Teams REST API does not properly shutdown the thread pools that it creates to retrieve Global Teams information from the federated systems. As a consequence, the Java Virtual Machine can’t recover the memory used by those thread pools, which leads to an OutOfMemory exception when the Process Federation Server Global Teams REST API is used extensively.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177596 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Automation Workstream Services in Cloud Pak for Automation | 19.0.3 |
| IBM Process Federation Server | 18.0.0.1 to 19.0.0.3 included |
Remediation/Fixes
| Fixed Product(s) | Version(s) |
|---|---|
| IBM Automation Workstream Services in Cloud Pak for Automation | 20.0.1 |
| IBM Process Federation Server | 20.0.1 |
iFixes for APAR JR62105 can also be installed on IBM Process Federation Server version 18.0.0.1 to 19.0.0.3 included in order to fix the vulnerability.
Workarounds and Mitigations
None
Related
EPSS
Percentile
32.8%