SB2023020130 - Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023020130

SB2023020130 - Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

Published: February 1, 2023

Security Bulletin ID SB2023020130
Severity
High
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 14% Medium 43% Low 43%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2022-0536)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to sensitive information on the system.


2) Authorization bypass through user-controlled key (CVE-ID: CVE-2022-0613)

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to missing access checks. A remote attacker can manipulate values in the request to gain unauthorized access to the application.


3) Insufficient verification of data authenticity (CVE-ID: CVE-2022-23491)

The vulnerability allows a remote attacker to bypass certificate validation checks.

The vulnerability exists due to presence of the TrustCor certificate in the Root Certificates list. the certificate is removed due to TrustCor's ownership also operated a business that produced spyware. Therefore, any checks that rely on digital signatures of trusted certificates were compromised.


4) Input validation error (CVE-ID: CVE-2022-24723)

The vulnerability allows a remote attacker to modify application behavior.

The vulnerability exists due to insufficient validation of user-supplied input when handling whitespace characters  in URL. A remote attacker can pass specially crafted input to the application and modify application behavior.


5) Information disclosure (CVE-ID: CVE-2022-41064)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in .NET Framework. A remote user on the local network can gain unauthorized access to sensitive information on the system.


6) Out-of-bounds write (CVE-ID: CVE-2022-41854)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a boundary error when parsing untrusted YAML files. A remote attacker can send a specially crafted YAML file, trick the victim into opening it using the affected software, trigger out-of-bounds write and perform a denial of service attack.


7) Deserialization of Untrusted Data (CVE-ID: CVE-2022-42919)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to Python multiprocessing library, when used with the forkserver start method on Linux allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine.A local user can execute arbitrary code with privileges of the user running the any forkserver process.


Remediation

Install update from vendor's website.

References