Multiple vulnerabilities in IBM Robotic Process Automation
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2019-0820 CVE-2020-15522 CVE-2021-43569 |
| CWE-ID | CWE-400 CWE-208 CWE-347 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
IBM Robotic Process Automation Server applications / Other server solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Resource exhaustion
EUVDB-ID: #VU64730
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-0820
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Robotic Process Automation: 21.0.0 - 21.0.2.4
External linkshttp://www.ibm.com/support/pages/node/6598793
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information Exposure Through Timing Discrepancy
EUVDB-ID: #VU55035
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15522
CWE-ID:
CWE-208 - Information Exposure Through Timing Discrepancy
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The
vulnerability exists due to a timing issue within the EC math library. A remote attacker who can observe timing information for the generation of multiple deterministic ECDSA signatures is able to reconstruct the private key used for encryption.
Install update from vendor's website.
Vulnerable software versionsIBM Robotic Process Automation: 21.0.0 - 21.0.2.4
External linkshttp://www.ibm.com/support/pages/node/6598793
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper Verification of Cryptographic Signature
EUVDB-ID: #VU64732
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43569
CWE-ID:
CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to verify function in the Stark Bank .NET ECDSA library (ecdsa-dotnet) fails to check that the signature is non-zero. A remote unauthenticated attacker can forge signatures on arbitrary messages to execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Robotic Process Automation: 21.0.0 - 21.0.2.4
External linkshttp://www.ibm.com/support/pages/node/6598793
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
