Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation Fixes for April 2024.

In addition to OS level package updates, multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.3-IF032 and 23.0.2-IF004.

## Vulnerability Details

**CVEID:**CVE-2024-22353
**DESCRIPTION:** IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.4 is vulnerable to a denial of service, caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 280400.
**CWE:**CWE-770: Allocation of Resources Without Limits or Throttling
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.9
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-28849
**DESCRIPTION:** Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information, caused by the leakage of credentials when clearing authorization header during cross-domain redirect, but keeping the proxy-authentication header. An attacker could exploit this vulnerability to obtain credentials and other sensitive information.
**CWE:**CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
**CVSS Source:** IBM X-Force
**CVSS Base score:** 6.5
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2023-26159
**DESCRIPTION:** follow-redirects could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
**CWE:**CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 6.1
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

**CVEID:**CVE-2024-29041
**DESCRIPTION:** Express.js Express could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
**CWE:**CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 6.1
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

**CVEID:**CVE-2023-44487
**DESCRIPTION:** Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. By sending numerous HTTP/2 requests and RST_STREAM frames over multiple streams, a remote attacker could exploit this vulnerability to cause a denial of service due to server resource consumption.
**CWE:**CWE-400: Uncontrolled Resource Consumption
**CVSS Source:** IBM X-Force
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2023-2253
**DESCRIPTION:** Distribution is vulnerable to a denial of service, caused by improper input validation by the /v2/_catalog endpoint. By sending a specially crafted /v2/_catalog API endpoint request request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
**CWE:**CWE-20: Improper Input Validation
**CVSS Source:** IBM X-Force
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2017-11468
**DESCRIPTION:** Docker Registry is vulnerable to a denial of service, caused by the failure to restrict content sizes. An attacker could exploit this vulnerability to cause memory consumption.
**CWE:**CWE-399: Resource Management Errors
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.3
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2023-2602
**DESCRIPTION:** libcap is vulnerable to a denial of service, caused by a memory leak flaw in the error handling in the __wrap_pthread_create() function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to exhaust the process memory, and results in a denial of service condition.
**CWE:**CWE-401: Missing Release of Memory after Effective Lifetime
**CVSS Source:** IBM X-Force
**CVSS Base score:** 0
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

**CVEID:**CVE-2023-2603
**DESCRIPTION:** libcap could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the _libcap_strdup() function. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
**CWE:**CWE-190: Integer Overflow or Wraparound
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.6
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**CVE-2023-51775
**DESCRIPTION:** jose4j is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted p2c value, a remote attacker could exploit this vulnerability to cause a denial of service condition.
**CWE:**CWE-20: Improper Input Validation
**CVSS Source:** IBM X-Force
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2017-18342
**DESCRIPTION:** PyYAML could allow a remote attacker to execute arbitrary code on the system, caused by the failure to use yaml.safe_load in the yaml.load() API. An attacker could exploit this vulnerability to execute arbitrary code on the system.
**CWE:**CWE-94: Improper Control of Generation of Code (‘Code Injection’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 9.8
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2017-18343
**DESCRIPTION:** ** DISPUTED ** The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as demonstrated by a /_debugbar/open?op=get URI. NOTE: the vendor’s position is that this is not a vulnerability because the debug tools are not intended for production use. NOTE: the Symfony Debug component is used by Laravel Debugbar.
**CWE:**CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 0
**CVSS Vector:**

**CVEID:**CVE-2020-1747
**DESCRIPTION:** PyYAML could allow a remote attacker to execute arbitrary code on the system, caused by an error when processing untrusted YAML files through the full_load method or with the FullLoader loader. By abusing the python/object/new constructor, an attacker could exploit this vulnerability to execute arbitrary code on the system.
**CWE:**CWE-94: Improper Control of Generation of Code (‘Code Injection’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 9.8
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2024-22257
**DESCRIPTION:** VMware Tanzu Spring Security could allow a remote attacker to bypass security restrictions, caused by a broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter. By sending a direct request, an attacker could exploit this vulnerability to bypass access restrictions.
**CWE:**CWE-287: Improper Authentication
**CVSS Source:** IBM X-Force
**CVSS Base score:** 8.2
**CVSS Vector:**(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)

**CVEID:**CVE-2024-22259
**DESCRIPTION:** VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in UriComponentsBuilder. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites.
**CWE:**CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
**CVSS Source:** CVE.org
**CVSS Base score:** 8.1
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)

**CVEID:**CVE-2024-20952
**DESCRIPTION:** An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
**CWE:**CWE-416: Use After Free
**CVSS Source:** CVE.org
**CVSS Base score:** 7.4
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

**CVEID:**CVE-2024-20918
**DESCRIPTION:** An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
**CWE:**CWE-20: Improper Input Validation
**CVSS Source:** IBM X-Force
**CVSS Base score:** 7.4
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

**CVEID:**CVE-2024-20921
**DESCRIPTION:** An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact.
**CWE:**CWE-20: Improper Input Validation
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.9
**CVSS Vector:**

**CVEID:**CVE-2024-20919
**DESCRIPTION:** An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high integrity impact.
**CWE:**CWE-20: Improper Input Validation
**CVSS Source:** IBM X-Force
**CVSS Base score:** 4.7
**CVSS Vector:**(CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)

**CVEID:**CVE-2024-20926
**DESCRIPTION:** An unspecified vulnerability in Java SE related to the Scripting component could allow a remote attacker to cause high confidentiality impact.
**CWE:**CWE-20: Improper Input Validation
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.9
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2024-20945
**DESCRIPTION:** An unspecified vulnerability in Java SE related to the VM component could allow a local authenticated attacker to cause high confidentiality impact.
**CWE:**CWE-20: Improper Input Validation
**CVSS Source:** IBM X-Force
**CVSS Base score:** 4.7
**CVSS Vector:**(CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2023-33850
**DESCRIPTION:** IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information.
**CWE:**CWE-203: Observable Discrepancy
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.9
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2024-1023
**DESCRIPTION:** Eclipse Vert.x is vulnerable to a denial of service, caused by a memory leak due to the use of Netty FastThreadLocal data structures. By persuading to open a specially crafted content, a remote attacker could exploit this vulnerability to cause a denial of service condition.
**CWE:**CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
**CVSS Source:** CVE.org
**CVSS Base score:** 6.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2023-4641
**DESCRIPTION:** shadow-maint shadow-utils could allow a local authenticated attacker to obtain sensitive information, caused by failing to clean the buffer used to store password information. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain password information, and use this information to launch further attacks against the affected system.
**CWE:**CWE-303: Incorrect Implementation of Authentication Algorithm
**CVSS Source:** IBM X-Force
**CVSS Base score:** 4.7
**CVSS Vector:**(CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2024-26308
**DESCRIPTION:** Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error. By persuading a victim to open a specially crafted Pack200 file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
**CWE:**CWE-770: Allocation of Resources Without Limits or Throttling
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.5
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-25710
**DESCRIPTION:** Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw. By persuading a victim to open a specially crafted DUMP file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
**CWE:**CWE-835: Loop with Unreachable Exit Condition (‘Infinite Loop’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.5
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2023-50312
**DESCRIPTION:** IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.2 could provide weaker than expected security for outbound TLS connections caused by a failure to honor user configuration. IBM X-Force ID: 274711.
**CWE:**CWE-327: Use of a Broken or Risky Cryptographic Algorithm
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.3
**CVSS Vector:**(CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2024-27270
**DESCRIPTION:** IBM WebSphere Application Server Liberty 23.0.0.3 through 24.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in a specially crafted URI. IBM X-Force ID: 284576.
**CWE:**CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 4.7
**CVSS Vector:**(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)

## Affected Products and Versions

Affected Product(s) | Version(s) | Status
—|—|—
IBM Cloud Pak for Business Automation | V23.0.2 – V23.0.2-IF003 | Affected
IBM Cloud Pak for Business Automation | V23.0.1 all fixes
V22.0.2 all fixes
V22.0.1 all fixes | Affected
IBM Cloud Pak for Business Automation | V21.0.3 – V21.0.3-IF031 | Affected
IBM Cloud Pak for Business Automation | V21.0.1 all fixes
V20.0.1 – V20.0.3
V19.0.1 – V19.0.3
V18.0.0 – V18.0.2 | Affected

## Remediation/Fixes

Affected Product(s) | Version(s) | Remediation / Fix
—|—|—
IBM Cloud Pak for Business Automation | V23.0.2 – V23.0.2-IF003 | Apply security fix 23.0.2-IF004
IBM Cloud Pak for Business Automation | V23.0.1 all fixes
V22.0.2 all fixes | Upgrade and apply security fix 23.0.2-IF004
IBM Cloud Pak for Business Automation | V21.0.3 – V21.0.3-IF031 | Apply security fix 21.0.3-IF032 or upgrade to 23.0.2-IF004
IBM Cloud Pak for Business Automation | V21.0.1 all fixes
V20.0.1 – V20.0.3
V19.0.1 – V19.0.3
V18.0.0 – V18.0.2 | Upgrade to 21.0.3-IF032 or 23.0.2-IF004

Any open source library may be included in one or more sub-components of IBM Cloud Pak for Business Automation. Open source updates are not always synchronized across all components. The CVE in this bulletin are specifically addressed by

**CVE** | **Component**
—|—
CVE-2017-11468 | User Management Service Component
CVE-2017-18342 | Demo Pattern
CVE-2017-18343 | Demo Pattern
CVE-2020-1747 | Demo Pattern
CVE-2023-2253 | User Management Service Component
CVE-2023-2602 | User Management Service Component
CVE-2023-2603 | User Management Service Component
CVE-2023-26159 | Business Automation Insights Component
CVE-2023-33850 | Operational Decision Manager Component
CVE-2023-44487 | User Management Service Component
CVE-2023-4641 | Automation Decision Services
CVE-2023-50312 | Base Images
CVE-2023-51775 | Operational Decision Manager Component
CVE-2024-1023 | Business Automation Insights Core
CVE-2024-20918 | Operational Decision Manager Component
CVE-2024-20919 | Operational Decision Manager Component
CVE-2024-20921 | Operational Decision Manager Component
CVE-2024-20926 | Operational Decision Manager Component
CVE-2024-20945 | Operational Decision Manager Component
CVE-2024-20952 | Operational Decision Manager Component
CVE-2024-22257 | Automation Decision Services
CVE-2024-22259 | Automation Decision Services
CVE-2024-22353 | Base Images
CVE-2024-25710 | Automation Decision Services
CVE-2024-26308 | Automation Decision Services
CVE-2024-27270 | Base Images
CVE-2024-28849 | Business Automation Application Component
CVE-2024-28849 | Business Automation Insights Core
CVE-2024-29041 | Business Automation Insights Core

## Workarounds and Mitigations

None

##