Lucene search

IBMF0F63FC987007665459DA14F7F1E8DD285B3AB39C00E792F6E9B1B337EB5AB31

HistoryMar 01, 2024 - 7:11 p.m.

Security Bulletin: Apache Derby vulnerability addressed in IBM Business Automation Workflow on containers [CVE-2022-46337]

2024-03-0119:11:39

www.ibm.com

ibm business automation workflow

containers

apache derby

vulnerability

cve-2022-46337

ldap injection

security restrictions

cvss

upgrade

fixes

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.002

Percentile

62.2%

JSON

Summary

IBM Business Automation Workflow on containers addessed CVE-2022-46337. A copy of derby is included on container images, but never used in a supported scenario. Even in unsupported scenarios, there is no way of letting derby interact with LDAP.

Vulnerability Details

CVEID:CVE-2022-46337
**DESCRIPTION:**Apache Derby could allow a remote attacker to bypass security restrictions, caused by a LDAP injection vulnerability in authenticator. By sending a specially crafted request, an attacker could exploit this vulnerability to view and corrupt sensitive data and run sensitive database functions and procedures.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271915 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)	Status
IBM Business Automation Workflow containers

V23.0.2 - V23.0.2-IF001
V23.0.1 all fixes
V22.0.2 all fixes
V22.0.1 all fixes
V21.0.3 - V21.0.3-IF029
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes

| affected

For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.

Remediation/Fixes

Affected Product(s)	Version(s)	Remediation / Fix
IBM Business Automation Workflow containers	V23.0.2	Apply 23.0.2-IF002
IBM Business Automation Workflow containers	V21.0.3	Apply 21.0.3-IF030
or upgrade to 23.0.2-IF002 or later
IBM Business Automation Workflow containers	V23.0.1
V22.0.1 - V22.0.2
V21.0.1 - V21.0.2
V20.0.0.1 - V20.0.0.2	Upgrade to 21.0.3-IF030
or upgrade to 23.0.2-IF002 or later

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmbusiness_automation_workflowMatch22.0.2enterprise_service_bus

ibmbusiness_automation_workflowMatch23.0.1enterprise_service_bus

ibmbusiness_automation_workflowMatch23.0.2enterprise_service_bus

VendorProductVersionCPE
ibmbusiness_automation_workflow22.0.2cpe:2.3:a:ibm:business_automation_workflow:22.0.2:*:*:*:enterprise_service_bus:*:*:*
ibmbusiness_automation_workflow23.0.1cpe:2.3:a:ibm:business_automation_workflow:23.0.1:*:*:*:enterprise_service_bus:*:*:*
ibmbusiness_automation_workflow23.0.2cpe:2.3:a:ibm:business_automation_workflow:23.0.2:*:*:*:enterprise_service_bus:*:*:*

Vendor	Product	Version	CPE
ibm	business_automation_workflow	22.0.2	cpe:2.3:a:ibm:business_automation_workflow:22.0.2::::enterprise_service_bus:::
ibm	business_automation_workflow	23.0.1	cpe:2.3:a:ibm:business_automation_workflow:23.0.1::::enterprise_service_bus:::
ibm	business_automation_workflow	23.0.2	cpe:2.3:a:ibm:business_automation_workflow:23.0.2::::enterprise_service_bus:::