SB2022062815 - Multiple vulnerabilities in IBM Robotic Process Automation

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2019-0820)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

2) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2020-15522)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a timing issue within the EC math library. A remote attacker who can observe timing information for the generation of multiple deterministic ECDSA signatures is able to reconstruct the private key used for encryption.

3) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2021-43569)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to verify function in the Stark Bank .NET ECDSA library (ecdsa-dotnet) fails to check that the signature is non-zero. A remote unauthenticated attacker can forge signatures on arbitrary messages to execute arbitrary code on the target system.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-automation-may-be-affected-by-multiple-vulnerabilities-in-open-source-components-cve-2019-0820-cve-2020-15522-cve-2021-43569/"
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-automation-may-be-affected-by-multiple-vulnerabilities-in-open-source-components-cve-2019-0820-cve-2020-15522-cve-2021-43569/</a><br><a
• https://www.ibm.com/support/pages/node/6598793"
• https://www.ibm.com/support/pages/node/6598793</a><br><br><br></p>