Multiple vulnerabilities in IBM Cloud Pak for Business Automation



Risk High
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2022-24434
CVE-2022-23712
CVE-2022-25878
CWE-ID CWE-20
CWE-754
CWE-913
Exploitation vector Network
Public exploit N/A
Vulnerable software
 IBM Cloud Pak for Business Automation
Server applications / Other server solutions

Vendor IBM Corporation

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU64874

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-24434

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a modified form to server, and crash the nodejs service. An attacker can sent the payload again and again so that the service continuously crashes.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Cloud Pak for Business Automation: 18.0.0 - 21.0.3

CPE2.3 External links

http://www.ibm.com/support/pages/node/6600749


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Check for Unusual or Exceptional Conditions

EUVDB-ID: #VU64866

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-23712

CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper error handling. A remote attacker can send specifically formatted network request to the application and forcibly shut down an Elasticsearch node.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Cloud Pak for Business Automation: 18.0.0 - 21.0.3

CPE2.3 External links

http://www.ibm.com/support/pages/node/6600749


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper Control of Dynamically-Managed Code Resources

EUVDB-ID: #VU64865

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-25878

CWE-ID: CWE-913 - Improper Control of Dynamically-Managed Code Resources

Exploit availability: No

Description

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to Prototype Pollution error in protobufjs. A remote unauthenticated attacker can provide an untrusted user input to the util.setProperty or to the ReflectionObject.setParsedOption functions, and also by parse/load .proto files to modify data on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Cloud Pak for Business Automation: 18.0.0 - 21.0.3

CPE2.3 External links

http://www.ibm.com/support/pages/node/6600749


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###