Multiple vulnerabilities in IBM Robotic Process Automation



Risk High
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2019-0820
CVE-2020-15522
CVE-2021-43569
CWE-ID CWE-400
CWE-208
CWE-347
Exploitation vector Network
Public exploit N/A
Vulnerable software
 IBM Robotic Process Automation
Server applications / Other server solutions

Vendor IBM Corporation

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Resource exhaustion

EUVDB-ID: #VU64730

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-0820

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Robotic Process Automation: 21.0.0 - 21.0.2.4

CPE2.3 External links

https://www.ibm.com/support/pages/node/6598793


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information Exposure Through Timing Discrepancy

EUVDB-ID: #VU55035

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-15522

CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a timing issue within the EC math library. A remote attacker who can observe timing information for the generation of multiple deterministic ECDSA signatures is able to reconstruct the private key used for encryption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Robotic Process Automation: 21.0.0 - 21.0.2.4

CPE2.3 External links

https://www.ibm.com/support/pages/node/6598793


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper Verification of Cryptographic Signature

EUVDB-ID: #VU64732

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-43569

CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to verify function in the Stark Bank .NET ECDSA library (ecdsa-dotnet) fails to check that the signature is non-zero. A remote unauthenticated attacker can forge signatures on arbitrary messages to execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Robotic Process Automation: 21.0.0 - 21.0.2.4

CPE2.3 External links

https://www.ibm.com/support/pages/node/6598793


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###