CVE-2022-35279 - Exposing IBM Business Automation Workflow Version Information – Risks, Code Insights, and How Attackers Exploit It

If you're running IBM Business Automation Workflow (BAW) in your organization, you should know about CVE-2022-35279. This vulnerability relates to multiple BAW versions (from 18.x to 22.x) exposing sensitive version info to authenticated users. While at first glance this may seem minor, knowing the exact software version can help attackers plan more effective attacks. Let’s break down what this CVE is, show you how this info could leak, and discuss what you can do to protect your business.

22..1

These versions could disclose specific product version information to *authenticated users*. IBM’s official notice and the NVD page confirm that knowing the version gives hackers a strong starting point for further attacks.

Why Version Disclosure is a Problem

It might seem harmless if an authenticated user can see the software version, but…

- Targeted Exploits: Attackers can match your version with known unpatched vulnerabilities and weaponize exploits accordingly.
- Social Engineering: Even social engineering attacks (like phishing) are more effective if they reference exact software versions in use.
- Automated Tools: Many hacking tools scan for exact version numbers to find useful attack vectors.

As a result, seemingly trivial leaks can lead directly to compromise.

How does the vulnerability work?

If your organization's BAW is vulnerable, certain API endpoints, HTTP headers, or UI elements might expose detailed version information once a user logs in.

Possible Example

Let’s say a user logs into the BAW interface and checks a certain “About” or system info panel. Or maybe they access a backend API, like /rest/bpm/wle/v1/system.

The response might look something like

{
  "status": "success",
  "product": "IBM Business Automation Workflow",
  "version": "20...2",
  "build": "20211125-1234",
  "os": "Linux"
}

Or, inspecting the HTTP headers might show

X-Powered-By: IBM Business Automation Workflow 20...2

*Note: The above examples are illustrative. Actual field names or output can vary*.

How Attackers Exploit This

Once an attacker (maybe an insider or someone with stolen credentials) identifies the exact BAW version, they can:

For example, cross-referencing 20...2 with NVD, Rapid7, or Exploit-DB for known security holes.

2. Find/Write Tailored Exploits  
  Automated tools (like Metasploit or custom scripts) can target unpatched versions with known RCE, privilege escalation, or DoS bugs.

Plan Phishing or Lateral Attacks

By referencing your real environment (“I saw you’re using IBM BAW 21..2!”), phishing attempts can appear much more credible.

Simulated Exploit Scenario

Here’s a simple Python script simulating how an attacker could query version info from a typical vulnerable endpoint (after logging in):

import requests

# Assume attacker has valid credentials
session = requests.Session()
login_payload = {'username': 'attacker', 'password': 'password123'}

# Example login process (update URLs as needed)
session.post('https://baw.example.com/login';, data=login_payload)

# The suspicious endpoint
r = session.get('https://baw.example.com/rest/bpm/wle/v1/system';)

if r.status_code == 200:
    print("Exposed BAW Version Info:")
    print(r.json())
else:
    print("Could not retrieve system info.")

A real BAW system might show even more metadata than this example. From here, an attacker would research which vulnerabilities exist for that version (see exploit-db.com, NVD, or Rapid7 for public exploits).

Apply IBM Patches!

IBM has released fixes to stop leaking detailed version information. Update ASAP.

Sanitize Version Info

As a best practice, never expose detailed version/build numbers in any web interface or API. If business needs require version data, show only major release families (“IBM BAW v20.x”).

Stay Informed

Watch IBM Security Bulletins for latest updates.

References & Further Reading

- NIST NVD: CVE-2022-35279
- IBM Security Advisory
- IBM Security Bulletins Page
- IBM X-Force Exchange: 230537
- What is Version Disclosure? (OWASP)

Summary

CVE-2022-35279 may not seem as urgent as a remote code execution bug, but leaking exact version data allows attackers to get precise, specific, and more dangerous. IBM customers should patch all affected BAW releases quickly and check their applications and APIs for version leakage. Stay ahead of attackers: reduce your organization’s information footprint wherever possible!


Have questions or want to share your experience? Drop a comment or reach out via IBM Community.

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/10/2022 14:18:00 UTC