Security Bulletin: Security vulnerabilities addressed with IBM Business Automation Workflow container updates in April 2025

May 3, 2025 invoker category_cve

Vulnerability Details

Basic Information

Title Security Bulletin: Security vulnerabilities addressed with IBM Business Automation Workflow container updates in April 2025
Type ibm
Published 2025-05-03T06:13:21
Last Seen 2025-05-03T10:56:46
CVSS Score 7.5 (HIGH)

CVSS v3 Details

Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact NONE
Availability Impact NONE

CVE Information

CVE IDs CVE-2023-50314, CVE-2024-10917, CVE-2024-21208, CVE-2024-21210, CVE-2024-21217, CVE-2024-21235, CVE-2024-34155, CVE-2024-45336, CVE-2024-45341, CVE-2025-22866, CVE-2025-22870
CWE
Bulletin Family software

Description

## Summary

Multiple security vulnerabilities are addressed with IBM Business Automation Workflow containers updates in April 2025.

## Vulnerability Details

**CVEID:**CVE-2023-50314
**DESCRIPTION:** IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.8 could allow an attacker with access to the network to conduct spoofing attacks. An attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information. IBM X-Force ID: 274713.
**CWE:**CWE-295: Improper Certificate Validation
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.3
**CVSS Vector:**(CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2024-45336
**DESCRIPTION:** The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.
**CVSS Source:** CISA ADP
**CVSS Base score:** 6.1
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

**CVEID:**CVE-2025-22870
**DESCRIPTION:** Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to “*.example.com”, a request to “[::1%25.example.com]:80` will incorrectly match and not be proxied.
**CWE:**CWE-115: Misinterpretation of Input
**CVSS Source:** CISA ADP
**CVSS Base score:** 4.4
**CVSS Vector:**(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L)

**CVEID:**CVE-2024-34155
**DESCRIPTION:** Golang Go is vulnerable to a denial of service, caused by a stack exhaustion in all Parse* functions. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
**CWE:**CWE-1325: Improperly Controlled Sequential Memory Allocation
**CVSS Source:** IBM X-Force
**CVSS Base score:** 7.5
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-45341
**DESCRIPTION:** A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
**CVSS Source:** CISA ADP
**CVSS Base score:** 6.1
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

**CVEID:**CVE-2025-22866
**DESCRIPTION:** Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.
**CVSS Source:** CISA ADP
**CVSS Base score:** 4
**CVSS Vector:**(CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**CVE-2024-21235
**DESCRIPTION:** Vulnerability in Java SE (component: Hotspot). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to accessible data as well as unauthorized read access to a subset of accessible data.
**CVSS Source:** Oracle
**CVSS Base score:** 4.8
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

**CVEID:**CVE-2024-21217
**DESCRIPTION:** Vulnerability in Java SE (component: Serialization). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS).
**CWE:**CWE-502: Deserialization of Untrusted Data
**CVSS Source:** Oracle
**CVSS Base score:** 3.7
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2024-21210
**DESCRIPTION:** Vulnerability in Java SE (component: Hotspot). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some accessible data.
**CWE:**CWE-203: Observable Discrepancy
**CVSS Source:** Oracle
**CVSS Base score:** 3.7
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**CVE-2024-21208
**DESCRIPTION:** Vulnerability in Java SE (component: Networking). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS).
**CWE:**CWE-203: Observable Discrepancy
**CVSS Source:** Oracle
**CVSS Base score:** 3.7
**CVSS Vector:**(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**CVE-2024-10917
**DESCRIPTION:** In Eclipse OpenJ9 versions up to 0.47, the JNI function GetStringUTFLength may return an incorrect value which has wrapped around. From 0.48 the value is correct but may be truncated to include a smaller number of characters.
**CWE:**CWE-190: Integer Overflow or Wraparound
**CVSS Source:** NVD
**CVSS Base score:** 5.3
**CVSS Vector:**(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

## Affected Products and Versions

Affected Product(s)| Version(s)| Status
—|—|—
IBM Business Automation Workflow containers| V24.0.1 – V24.0.1-IF001
V24.0.0 – V24.0.0-IF004
earlier unsupported versions | affected

For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.

## Remediation/Fixes

Affected Product(s)| Version(s)| Remediation / Fix
—|—|—
IBM Business Automation Workflow containers| V24.0.1 – V24.0.1-IF001| Apply 24.0.1-IF002
IBM Business Automation Workflow containers| V24.0.0 – V24.0.0-IF004| Apply 24.0.0-IF005
IBM Business Automation Workflow containers| earlier unsupported versions| Upgrade to 24.0.0-IF005 (or later) or 24.0.1-IF002 (or later)

## Workarounds and Mitigations

None

##

Impact Assessment

Base Score 7.5
Severity HIGH

View full CVE details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.