IBM Support

JR64861: MULTIPLE VULNERABILITIES IN IBM ROBOTIC PROCESS AUTOMATION

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • CVEID:   CVE-2022-0235
DESCRIPTION:   Node.js node-fetch could allow a remote
authenticated attacker to obtain sensitive information, caused
by a flaw when fetching a remote url with Cookie. By sending a
specially-crafted request, an attacker could exploit this
vulnerability to obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/217758 for
the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2021-22570
DESCRIPTION:   Google Protocol Buffers is vulnerable to a denial
of service, caused by a NULL pointer dereference when a null
char is present in a proto symbol. A remote authenticated
attacker could exploit this vulnerability to cause a denial of
service.
CVSS Base score: 6.5
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/222154 for
the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2021-36483
DESCRIPTION:   DevExpress.XtraReports.UI could allow a remote
attacker to execute arbitrary code on the system, caused by an
unsafe deserialization flaw. By sending specially-crafted input,
an attacker could exploit this vulnerability to execute
arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/206810 for
the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:                                              *
* All                                                          *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* No additional information is available.                      *
*                                                              *
* PRODUCTS AFFECTED                                            *
* IBM Robotic Process Automation                               *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************

    



Problem conclusion


    

  • A fix that ports fixes for these open source packages to IBM
Robotic Process Automation is available.
First fixed in IBM Robotic Process Automation 21.0.1.5 and
21.0.2.2

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR64861
    • 

  • Reported component name
    RPA
    • 

  • Reported component ID
    5737N5100
    • 

  • Reported release
    L00
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2022-04-20
    • 

  • Closed date
    2022-04-20
    • 

  • Last modified date
    2022-04-20
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    RPA
    • 

  • Fixed component ID
    5737N5100
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSC50T","label":"IBM Robotic Process Automation"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"L00"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            21 April 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback