SB2023092706 - Multiple vulnerabilities in IBM Business Automation Workflow

Description

This security bulletin contains information about 17 secuirty vulnerabilities.

1) Untrusted search path (CVE-ID: CVE-2023-30585)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to the way Node.js (.msi version) installation process handles a missing %USERPROFILE% environment variable. If the variable is not set, the .msi installer will try to include a current working directory into the search path and will libraries in an unsafe manner. A local user can place a malicious file on the victim's system and execute arbitrary code with elevated privileges.

The vulnerability affects Windows installators only.

2) Input validation error (CVE-ID: CVE-2023-30588)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied public key within the crypto.X509Certificate() API. A remote user can pass an invalid public key to the application and perform a denial of service (DoS) attack.

3) Path traversal (CVE-ID: CVE-2023-30584)

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error within the experimental permission model when verifying file permissions. A remote user can send a specially crafted request and read arbitrary files on the system.

4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-30583)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to a missing check in the fs.openAsBlob() API. A remote user leverage fs.openAsBlob() to bypass the experimental permission model when using the file system read restriction with the --allow-fs-read flag.

5) Improper access control (CVE-ID: CVE-2023-30587)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can exploit the Worker class's ability to create an "internal worker" with the kIsInternal Symbol to bypass restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector).

6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-30586)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to application allows loading arbitrary OpenSSL engines when the experimental permission model is enabled. A remote user can use the crypto.setEngine() API to bypass the permission model when called with a compatible OpenSSL engine and disable the permission model in the host process by manipulating the process's stack memory to locate the permission model Permission::enabled_ in the host process's heap memory.

7) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-30582)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to an error within the experimental permission model when the --allow-fs-read flag is used with a non-* argument. An inadequate permission model fails to restrict file watching through the fs.watchFile API and result in an ability of a remote user to monitor files that they do not have explicit read access to.

8) Inconsistency between implementation and documented design (CVE-ID: CVE-2023-30590)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to inconsistency between implementation and documented design within the generateKeys() API function. The documented behavior is different from the actual behavior, and this difference could lead to security issues in applications that use these APIs as the DiffieHellman may be used as the basis for application-level security.

9) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2023-30589)

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests in the llhttp parser. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

10) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-30581)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to the use of proto in process.mainModule.proto.require(). This allows to bypass the policy mechanism and require modules outside of the policy.json definition.

11) Path traversal (CVE-ID: CVE-2023-32004)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to improper handling of Buffers in file system APIs. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

12) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-32002)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to improperly imposed security restrictions for the Module._load() method. A remote attacker can bypass the policy mechanism and include modules outside of the policy.json definition for a given module.

13) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-32559)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to usage of deprecated API process.binding(). A remote attacker can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') run arbitrary code, outside of the limits defined in a policy.json file.

14) Path traversal (CVE-ID: CVE-2023-32558)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within the deprecated API process.binding(). A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

15) Path traversal (CVE-ID: CVE-2023-32003)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to a missing check in the fs.mkdtemp() API. A remote attacker can bypass the permission model check using a path traversal attack in fs.mkdtemp() and fs.mkdtempSync().

16) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-32006)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to improperly imposed security restrictions for the module.constructor.createRequire() method. A remote attacker can bypass the policy mechanism and include modules outside of the policy.json definition for a given module.

17) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-32005)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to an inadequate permission model that fails to restrict file stats through the fs.statfs API. A remote user can retrieve stats from files that they do not have explicit read access to.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7039262