{"id":2740,"date":"2025-05-03T06:33:37","date_gmt":"2025-05-03T06:33:37","guid":{"rendered":"http:\/\/localhost\/?p=2740"},"modified":"2025-05-03T06:33:37","modified_gmt":"2025-05-03T06:33:37","slug":"security-bulletin-security-vulnerabilities-addressed-with-ibm-business-automation-workflow-container","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=2740","title":{"rendered":"Security Bulletin: Security vulnerabilities addressed with IBM Business Automation Workflow container updates in April 2025"},"content":{"rendered":"
\n

Vulnerability Details<\/h2>\n
\n

Basic Information<\/h3>\n\n\n\n\n\n\n
Title<\/th>\nSecurity Bulletin: Security vulnerabilities addressed with IBM Business Automation Workflow container updates in April 2025<\/td>\n<\/tr>\n
Type<\/th>\nibm<\/td>\n<\/tr>\n
Published<\/th>\n2025-05-03T06:13:21<\/td>\n<\/tr>\n
Last Seen<\/th>\n2025-05-03T10:56:46<\/td>\n<\/tr>\n
CVSS Score<\/th>\n7.5 (HIGH)<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVSS v3 Details<\/h3>\n\n\n\n\n\n\n\n\n\n
Attack Vector<\/th>\nNETWORK<\/td>\n<\/tr>\n
Attack Complexity<\/th>\nLOW<\/td>\n<\/tr>\n
Privileges Required<\/th>\nNONE<\/td>\n<\/tr>\n
User Interaction<\/th>\nNONE<\/td>\n<\/tr>\n
Scope<\/th>\nUNCHANGED<\/td>\n<\/tr>\n
Confidentiality Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Integrity Impact<\/th>\nNONE<\/td>\n<\/tr>\n
Availability Impact<\/th>\nNONE<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVE Information<\/h3>\n\n\n\n\n
CVE IDs<\/th>\nCVE-2023-50314, CVE-2024-10917, CVE-2024-21208, CVE-2024-21210, CVE-2024-21217, CVE-2024-21235, CVE-2024-34155, CVE-2024-45336, CVE-2024-45341, CVE-2025-22866, CVE-2025-22870<\/td>\n<\/tr>\n
CWE<\/th>\n<\/td>\n<\/tr>\n
Bulletin Family<\/th>\nsoftware<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

Description<\/h3>\n
\n ## Summary<\/p>\n

Multiple security vulnerabilities are addressed with IBM Business Automation Workflow containers updates in April 2025.<\/p>\n

## Vulnerability Details<\/p>\n

**CVEID:**CVE-2023-50314
\n**DESCRIPTION:** IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.8 could allow an attacker with access to the network to conduct spoofing attacks. An attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information. IBM X-Force ID: 274713.
\n**CWE:**CWE-295: Improper Certificate Validation
\n**CVSS Source:** IBM X-Force
\n**CVSS Base score:** 5.3
\n**CVSS Vector:**(CVSS:3.0\/AV:A\/AC:H\/PR:N\/UI:N\/S:U\/C:H\/I:N\/A:N) <\/p>\n

**CVEID:**CVE-2024-45336
\n**DESCRIPTION:** The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com\/ containing an Authorization header which is redirected to b.com\/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com\/, to b.com\/1, and finally to b.com\/2 would incorrectly send the Authorization header to b.com\/2.
\n**CVSS Source:** CISA ADP
\n**CVSS Base score:** 6.1
\n**CVSS Vector:**(CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N) <\/p>\n

**CVEID:**CVE-2025-22870
\n**DESCRIPTION:** Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to “*.example.com”, a request to “[::1%25.example.com]:80` will incorrectly match and not be proxied.
\n**CWE:**CWE-115: Misinterpretation of Input
\n**CVSS Source:** CISA ADP
\n**CVSS Base score:** 4.4
\n**CVSS Vector:**(CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:N\/A:L) <\/p>\n

**CVEID:**CVE-2024-34155
\n**DESCRIPTION:** Golang Go is vulnerable to a denial of service, caused by a stack exhaustion in all Parse* functions. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
\n**CWE:**CWE-1325: Improperly Controlled Sequential Memory Allocation
\n**CVSS Source:** IBM X-Force
\n**CVSS Base score:** 7.5
\n**CVSS Vector:**(CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H) <\/p>\n

**CVEID:**CVE-2024-45341
\n**DESCRIPTION:** A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
\n**CVSS Source:** CISA ADP
\n**CVSS Base score:** 6.1
\n**CVSS Vector:**(CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N) <\/p>\n

**CVEID:**CVE-2025-22866
\n**DESCRIPTION:** Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.
\n**CVSS Source:** CISA ADP
\n**CVSS Base score:** 4
\n**CVSS Vector:**(CVSS:3.1\/AV:L\/AC:L\/PR:N\/UI:N\/S:U\/C:L\/I:N\/A:N) <\/p>\n

**CVEID:**CVE-2024-21235
\n**DESCRIPTION:** Vulnerability in Java SE (component: Hotspot). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to accessible data as well as unauthorized read access to a subset of accessible data.
\n**CVSS Source:** Oracle
\n**CVSS Base score:** 4.8
\n**CVSS Vector:**(CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:L\/I:L\/A:N) <\/p>\n

**CVEID:**CVE-2024-21217
\n**DESCRIPTION:** Vulnerability in Java SE (component: Serialization). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS).
\n**CWE:**CWE-502: Deserialization of Untrusted Data
\n**CVSS Source:** Oracle
\n**CVSS Base score:** 3.7
\n**CVSS Vector:**(CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:L) <\/p>\n

**CVEID:**CVE-2024-21210
\n**DESCRIPTION:** Vulnerability in Java SE (component: Hotspot). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some accessible data.
\n**CWE:**CWE-203: Observable Discrepancy
\n**CVSS Source:** Oracle
\n**CVSS Base score:** 3.7
\n**CVSS Vector:**(CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:N\/I:L\/A:N) <\/p>\n

**CVEID:**CVE-2024-21208
\n**DESCRIPTION:** Vulnerability in Java SE (component: Networking). Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS).
\n**CWE:**CWE-203: Observable Discrepancy
\n**CVSS Source:** Oracle
\n**CVSS Base score:** 3.7
\n**CVSS Vector:**(CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:L) <\/p>\n

**CVEID:**CVE-2024-10917
\n**DESCRIPTION:** In Eclipse OpenJ9 versions up to 0.47, the JNI function GetStringUTFLength may return an incorrect value which has wrapped around. From 0.48 the value is correct but may be truncated to include a smaller number of characters.
\n**CWE:**CWE-190: Integer Overflow or Wraparound
\n**CVSS Source:** NVD
\n**CVSS Base score:** 5.3
\n**CVSS Vector:**(CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:L\/A:N)<\/p>\n

## Affected Products and Versions<\/p>\n

Affected Product(s)| Version(s)| Status
\n—|—|—
\nIBM Business Automation Workflow containers| V24.0.1 – V24.0.1-IF001
\nV24.0.0 – V24.0.0-IF004
\nearlier unsupported versions | affected <\/p>\n

For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.<\/p>\n

## Remediation\/Fixes<\/p>\n

Affected Product(s)| Version(s)| Remediation \/ Fix
\n—|—|—
\nIBM Business Automation Workflow containers| V24.0.1 – V24.0.1-IF001| Apply 24.0.1-IF002
\nIBM Business Automation Workflow containers| V24.0.0 – V24.0.0-IF004| Apply 24.0.0-IF005
\nIBM Business Automation Workflow containers| earlier unsupported versions| Upgrade to 24.0.0-IF005 (or later) or 24.0.1-IF002 (or later) <\/p>\n

## Workarounds and Mitigations<\/p>\n

None<\/p>\n

##\n <\/p><\/div>\n<\/p><\/div>\n

\n

Impact Assessment<\/h3>\n\n\n\n
Base Score<\/th>\n7.5<\/td>\n<\/tr>\n
Severity<\/th>\nHIGH<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

View full CVE details<\/a><\/p>\n<\/p><\/div>\n<\/div>\n