SB2022051084 - Multiple vulnerabilities in IBM Business Automation Workflow and IBM Business Process Manager (BPM) 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022051084

SB2022051084 - Multiple vulnerabilities in IBM Business Automation Workflow and IBM Business Process Manager (BPM)

Published: May 10, 2022 Updated: November 14, 2025

Security Bulletin ID SB2022051084
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Improper Certificate Validation (CVE-ID: CVE-2021-44531)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of URI Subject Alternative Names. Node.js accepts arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type. A remote attacker can bypass name-constrained intermediates and perform spoofing attack.


2) Improper validation of certificate with host mismatch (CVE-ID: CVE-2021-44532)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper validation of certificates, when converting SANs (Subject Alternative Names) to a string format. A remote attacker can inject special characters into the string and perform spoofing attack.


3) Prototype pollution (CVE-ID: CVE-2022-21824)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to the formatting logic of the console.table() function. A remote attacker can send a specially crafted request and assign an empty string to numerical keys of the object prototype.



4) Infinite loop (CVE-ID: CVE-2022-0778)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop within the BN_mod_sqrt() function when processing an ASN.1 certificate that contains elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. A remote attacker can supply a specially crafted certificate to the TLS server or client, consume all available system resources and cause denial of service conditions.


5) Improper Certificate Validation (CVE-ID: CVE-2021-44533)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper validation of certificate subject and issuer fields. A remote attacker can create a certificate with specially crafted multi-value Relative Distinguished Names and perform spoofing attack.


Remediation

Install update from vendor's website.

References