IBM Support

JR64907: IBM RPA IS VULNERABLE TO AN ISSUE WHERE AN API COULD BE USED TO PERFORM A DNS LOOKUP VIA A THIRD PARTY PROVIDER.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Summary

IBM Robotic Process Automation is vulnerable to an issue where
an API could be used to perform a DNS lookup via a third party
provider.


Vulnerability Details

CVEID:   CVE-2022-22433
DESCRIPTION:   IBM Robotic Process Automation is vulnerable to
External Service Interaction attack, caused by improper
validation of user-supplied input. A remote attacker could
exploit this vulnerability to induce the application to perform
server-side DNS lookups or HTTP requests to arbitrary domain
names. By submitting suitable payloads, an attacker can cause
the application server to attack other systems that it can
interact with.
CVSS Base score: 2.7
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/224156 for
the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)

Link to Security Bulletin:
https://www.ibm.com/support/pages/node/6573913

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:                                              *
* All                                                          *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* No additional information is available.                      *
*                                                              *
* PRODUCTS AFFECTED                                            *
* IBM Robotic Process Automation                               *
*                                                              *
*                                                              *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************

    



Problem conclusion


    

  • A fix that ports fixes for these open source packages to IBM
Robotic Process Automation is available.
First fixed in IBM Robotic Process Automation 21.0.1.5 and
21.0.2.1

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR64907
    • 

  • Reported component name
    RPA
    • 

  • Reported component ID
    5737N5100
    • 

  • Reported release
    K00
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2022-05-04
    • 

  • Closed date
    2022-05-04
    • 

  • Last modified date
    2022-05-04
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    RPA
    • 

  • Fixed component ID
    5737N5100
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSC50T","label":"IBM Robotic Process Automation"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"K00"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            05 May 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback