IBM Support

JR64902: IBM RPA MAY BE VULNERABLE TO AN EXPOSURE OF SENSITIVE INFORMATION BY AN UNAUTHORIZED ACTOR THROUGH FOLLOW-REDIRECTS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Summary

Security Bulletin: IBM Robotic Process Automation may be
vulnerable to an exposure of sensitive information by an
aunauthorized actor through follow-redirects (CVE-2022-0536)
Vulnerability Details
CVEID:   CVE-2022-0536
DESCRIPTION:   Node.js follow-redirects module could allow a
remote authenticated attacker to obtain sensitive information,
caused by a leakage of the Authorization header from the same
hostname during HTTPS to HTTP redirection. By utilize
man-in-the-middle attack techniques, an attacker could exploit
this vulnerability to obtain Authorization header information,
and use this information to launch further attacks against the
affected system.
CVSS Base score: 2.6
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/219551 for
the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Link to security bulletin:
https://www.ibm.com/support/pages/node/6574809

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:                                              *
* All                                                          *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* No additional information is available.                      *
*                                                              *
* PRODUCTS AFFECTED                                            *
* IBM Robotic Process Automation                               *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************

    



Problem conclusion


    

  • A fix that ports fixes for these open source packages to IBM
Robotic Process Automation is available.
First fixed in IBM Robotic Process Automation 21.0.1.6 and
21.0.2.3

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR64902
    • 

  • Reported component name
    RPA
    • 

  • Reported component ID
    5737N5100
    • 

  • Reported release
    K00
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2022-05-04
    • 

  • Closed date
    2022-05-04
    • 

  • Last modified date
    2022-05-04
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    RPA
    • 

  • Fixed component ID
    5737N5100
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSC50T","label":"IBM Robotic Process Automation"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"K00"}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            05 May 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback