JR64938: SECURITY BULLETIN: MULTIPLE SECURITY VULNERABILITIES MAY AFFECT IBM ROBOTIC PROCESS AUTOMATION

APAR status

Closed as program error.

Error description

Summary

Security Bulletin: Multiple Security vulnerabilities may affect
IBM Robotic Process Automation


Vulnerability Details

CVEID:   CVE-2021-3749
DESCRIPTION:   axios is vulnerable to a denial of service,
caused by a regular expression denial of service (ReDoS) flaw in
the trim function. By sending a specially-crafted regex input, a
remote attacker could exploit this vulnerability to cause an
application to consume an excessive amount of CPU.
CVSS Base score: 7.5
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/208438 for
the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2018-8292
DESCRIPTION:   Microsoft .NET Core could allow a remote attacker
to obtain sensitive information, caused by an open redirect
vulnerability. By persuading a victim to open specially-crafted
content, a remote attacker could exploit this vulnerability to
obtain sensitive information and then use this information to
launch further attacks against the affected system.
CVSS Base score: 6.5
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/150375 for
the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:                                              *
* All                                                          *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* PROBLEM DESCRIPTION:                                         *
*                                                              *
* No additional information is available.                      *
*                                                              *
* PRODUCTS AFFECTED                                            *
* IBM Robotic Process Automation                               *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************

Problem conclusion

A fix that ports fixes for these open source packages to IBM
Robotic Process Automation is available.
First fixed in IBM Robotic Process Automation 21.0.2

Temporary fix

Comments

APAR Information

APAR number
JR64938
Reported component name
RPA
Reported component ID
5737N5100
Reported release
K00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-05-11
Closed date
2022-05-11
Last modified date
2022-05-11

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
RPA
Fixed component ID
5737N5100

Applicable component levels

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSC50T","label":"IBM Robotic Process Automation"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"K00"}]

Document Information

Modified date:
12 May 2022

Tips

JR64938: SECURITY BULLETIN: MULTIPLE SECURITY VULNERABILITIES MAY AFFECT IBM ROBOTIC PROCESS AUTOMATION

Subscribe to this APAR

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

Document Information

Share your feedback

Need support?