Security Bulletin: Vulnerability in Python affects IBM Process Mining . Multiple CVEs

Summary

There is a vulnerability in Python that could allow a local authenticated attacker to obtain sensitive information, The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability.

Vulnerability Details

CVEID:CVE-2022-48565
**DESCRIPTION:**Python could allow a local authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the plistlib module. By using a specially crafted XML content, a remote attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264547 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-48564
**DESCRIPTION:**Python is vulnerable to a denial of service, caused by a flaw in the read_ints function in plistlib.py. By persuading a victim to open a specially crafted Apple Property List file file, a remote attacker could exploit this vulnerability to cause CPU and RAM exhaustion, and results in a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264546 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

Remediation/Fixes guidance:

1.14.1, 1.14.0, 1.13.2

|

Upgrade to version 1.14.2

1.Login to PassPortAdvantage

2. Search for
M0FHQML
Process Mining 1.14.2 Server Multiplatform Multilingual

3. Download package

4. Follow install instructions

5. Repeat for M0FHRML Process Mining 1.14.2 Client Windows Multilingual

| |

Workarounds and Mitigations

Workarounds/Mitigation guidance:

None known