SB2022123002 - Multiple vulnerabilities in IBM Cloud Pak for Business Automation

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2017-10355)

The vulnerability allows a remote attacker to cause DoS condition.

The weakness exists due to a flaw in the Networking component. A remote attacker can trigger partial denial of service.

2) Out-of-bounds write (CVE-ID: CVE-2022-42920)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input within the API. A remote attacker can create a specially crafted request to the affected application, trigger an out-of-bounds write and execute arbitrary code on the target system.

3) Input validation error (CVE-ID: CVE-2022-2047)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input when parsing invalid URIs such as http://localhost;/path. A remote attacker can pass specially crafted input to the application and bypass implemented security restrictions, as the Jetty's HttpClient, and Jetty's ProxyServlet / AsyncProxyServlet / AsyncMiddleManServlet will wrongly interpret an authority of such URI as the one with a hostname.

4) Cross-site request forgery (CVE-ID: CVE-2022-42435)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin within the IBM Business Automation Workflow. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/6852217