5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.005 Low
EPSS
Percentile
76.0%
IBM Business Automation Workflow packages jdom. An XML External Entity (XXE) injection vulnerability was reported for jdom: Due to insecure default settings in jdom, a careless client application may fail to disable XML External Entity expansion features in the XML parser used by the library. While this is not the case in product code, the library is updated to protect custom code that might have accidentally referred to this copy of the library.
CVEID:CVE-2021-33813
**DESCRIPTION:**JDOM is vulnerable to a denial of service, caused by an XXE issue in SAXBuilder. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to cause the a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203804 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Status
Affected Product(s) | Version(s) |
---|---|
IBM Business Automation Workflow containers |
V23.0.1 - V23.0.1-IF001
V22.0.2 - V22.0.2 all fixes
V22.0.1 all fixes
V21.0.3 - V21.0.3-IF023
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes
| affected
IBM Business Automation Workflow traditional | V23.0.1
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3 | affected
IBM Business Automation Workflow Enterprise Service Bus | V22.0.2, V23.0.1 | affected
For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT225151 as soon as practical.
Affected Product(s) | Version(s) | Remediation / Fix |
---|---|---|
IBM Business Automation Workflow containers | V22.0.2 | Apply 23.0.1-IF002 |
IBM Business Automation Workflow containers | V22.0.1 | Upgrade to Business Automation Workflow on Containers 22.0.2 and apply 23.0.1-IF002 |
IBM Business Automation Workflow containers | V21.0.3 | Apply 21.0.3-IF024 |
or upgrade to 23.0.1-IF002 or later | ||
IBM Business Automation Workflow containers | V21.0.2 | |
V20.0.0.1 - V20.0.0.2 | Upgrade to 21.0.3-IF024 | |
or upgrade to 23.0.1-IF002 or later | ||
IBM Business Automation Workflow traditional and IBM Business Automation Workflow Enterprise Service Bus | V23.0.1 | Apply DT225151 |
IBM Business Automation Workflow traditional | V21.0.3.1 | Upgrade to IBM Business Automation Workflow traditional V22.0.2 and apply DT225151 |
IBM Business Automation Workflow traditional | V22.0.2 | |
V22.0.1 | ||
V21.0.2 | ||
V20.0.0.2 | ||
V20.0.0.1 | ||
V19.0.0.3 | Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum |
None
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.005 Low
EPSS
Percentile
76.0%