Multiple vulnerabilities in Red Hat Process Automation Manager 7.13
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2023-44487 CVE-2022-4285 CVE-2023-22025 CVE-2023-22081 CVE-2023-40217 |
| CWE-ID | CWE-400 CWE-476 CWE-20 CWE-319 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #1 is being exploited in the wild. |
| Vulnerable software |
Red Hat Process Automation Manager (formerly JBoss BPM Suite) Web applications / Remote management & hosting panels |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Resource exhaustion
EUVDB-ID: #VU81728
Risk: High
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2023-44487
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improperly control of consumption for internal resources when handling HTTP/2 requests with compressed HEADERS frames. A remote attacker can send a sequence of compressed HEADERS frames followed by RST_STREAM frames and perform a denial of service (DoS) attack, a.k.a. "Rapid Reset".
Note, the vulnerability is being actively exploited in the wild.
Install updates from vendor's website.
Red Hat Process Automation Manager (formerly JBoss BPM Suite): 7.13.0 - 7.13.4
CPE2.3- cpe:2.3:a:red_hat:jboss_bpm_suite:7.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.13.2:*:*:*:*:*:*:*
https://access.redhat.com/errata/RHSA-2023:7335
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
2) NULL pointer dereference
EUVDB-ID: #VU76453
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-4285
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when parsing an ELF file containing corrupt symbol version information. A remote attacker can pass a specially crafted file to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Red Hat Process Automation Manager (formerly JBoss BPM Suite): 7.13.0 - 7.13.4
CPE2.3- cpe:2.3:a:red_hat:jboss_bpm_suite:7.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.13.2:*:*:*:*:*:*:*
https://access.redhat.com/errata/RHSA-2023:7335
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper input validation
EUVDB-ID: #VU82143
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-22025
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Hotspot component in Oracle GraalVM for JDK. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall updates from vendor's website.
Red Hat Process Automation Manager (formerly JBoss BPM Suite): 7.13.0 - 7.13.4
CPE2.3- cpe:2.3:a:red_hat:jboss_bpm_suite:7.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.13.2:*:*:*:*:*:*:*
https://access.redhat.com/errata/RHSA-2023:7335
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper input validation
EUVDB-ID: #VU82141
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-22081
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the JSSE component in Oracle GraalVM for JDK. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall updates from vendor's website.
Red Hat Process Automation Manager (formerly JBoss BPM Suite): 7.13.0 - 7.13.4
CPE2.3- cpe:2.3:a:red_hat:jboss_bpm_suite:7.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.13.2:*:*:*:*:*:*:*
https://access.redhat.com/errata/RHSA-2023:7335
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Cleartext transmission of sensitive information
EUVDB-ID: #VU80228
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-40217
CWE-ID:
CWE-319 - Cleartext Transmission of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error in ssl.SSLSocket implementation when handling TLS client authentication. A remote attacker can trick the application to send data unencrypted.
Install updates from vendor's website.
Red Hat Process Automation Manager (formerly JBoss BPM Suite): 7.13.0 - 7.13.4
CPE2.3- cpe:2.3:a:red_hat:jboss_bpm_suite:7.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.13.2:*:*:*:*:*:*:*
https://access.redhat.com/errata/RHSA-2023:7335
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
