IBM product line (such as IBM Maximo Application Suite) security update advisory

Overview

 

An update has been made available to address vulnerabilities in the IBM family of products. Users of affected versions are encouraged to update to the latest version.

 

Affected Products

 

CVE-2023-43804, CVE-2023-25399, CVE-2023-29824, CVE-2023-29159, CVE-2023-27043, CVE-2023-44271, CVE–2023-29159

• IBM Business Automation Workflow containers version 23.0.2
• IBM Business Automation Workflow traditional 23.0.2 version

 

CVE-2023-45133

• IBM Maximo Application Suite 8.11 version

 

Resolved Vulnerabilities

 

Sensitive information access vulnerability in urlib3 in IBM Business Automation Workflow Machine Learning Server (CVE-2023-43804)
Denial of Service Vulnerability due to a memory leak in the Py_FindObjects function of SciPy in IBM Business Automation Workflow Machine Learning Server (CVE-2023-25399)
Denial of Service Vulnerability due to a use-after-free bug in the Py_FindObjects function of SciPy in IBM Business Automation Workflow Machine Learning Server (CVE-2023-29824)
Directory Traversal Vulnerability in the system due to improper validation of user requests when using StaticFiles in Encode Starlette in IBM Business Automation Workflow Machine Learning Server (CVE-2023-29159)
Security Restriction Bypass Vulnerability when using Python in IBM Business Automation Workflow Machine Learning Server due to a parsing flaw in the email.utils.parsaddr() and email.utils.getaddresses() functions (CVE-2023-27043)
Denial of Service Vulnerability due to an uncontrolled memory allocation flaw in Pillow in IBM Business Automation Workflow Machine Learning Server (CVE-2023-44271)
Starlette Directory Traversal Encoding Vulnerability in IBM Business Automation Workflow Machine Learning Server (CVE-2023-29159)
Code Execution Vulnerability due to a flaw in Babel’s path.evaluate() or path.evaluateTruthy() in IBM Maximo Application Suite (CVE-2023-45133)

 

Vulnerability Patches

 

Vulnerability patches were made available in the February 19, 2024 update. pleasefollow the instructions on the reference site to update to the latest vulnerability patch version.

CVE-2023-43804, CVE-2023-25399, CVE-2023-29824, CVE-2023-29159, CVE-2023-27043, CVE-2023-44271, CVE–2023-29159

• IBM Business Automation Workflow containers 23.0.2-IF001 version
• See IBM Business Automation Workflow traditional temporary fixes reference site [2] for details

 

CVE-2023-45133

• IBM Maximo Application Suite version 8.11.5

 

Referenced Sites

 

[1] Security Bulletin: Multiple vulnerabilities in IBM Business Automation Workflow Machine Learning Server are addressed with 23.0.2-IF001
https://www.ibm.com/support/pages/node/7120748

[2] Readme for IBM Business Automation Workflow 23.0.2 Machine Learning Server interim fixes
https://www.ibm.com/support/pages/node/7109938

[3] Security Bulletin: IBM Maximo Application Suite uses traverse-7.20.13.tgz which is vulnerable to CVE-2023-45133
https://www.ibm.com/support/pages/node/712067